Friday , August 18 2017
Home / Oracle DBA / Creating and Managing RMAN Virtual Private Catalogs

Creating and Managing RMAN Virtual Private Catalogs

RMAN Virtual Private Catalogs

About Virtual Private Catalogs

By default, all of the users of an RMAN recovery catalog have full privileges to insert, update, and delete any metadata in the catalog. For example, if the administrators of two unrelated databases share the same recovery catalog, each administrator could, whether inadvertently or maliciously, destroy catalog data for the other’s database. In many enterprises, this situation is tolerated because the same people manage many different databases and also manage the recovery catalog.

But in other enterprises where clear separation of duty exists between administrators of various databases, as well as between the DBA and the administrator of the recovery catalog, you may desire to restrict each database administrator to modify only backup meta data belonging to those databases that they are responsible for, while still keeping the benefits of a single, centrally-managed, RMAN recovery catalog. This goal can be achieved by implementing virtual private catalogs.

Every Oracle 11recovery catalog supports virtual private catalogs, but they are not used unless explicitly created. There is no restriction to the number of virtual private catalogs that can created beneath one recovery catalog. Each virtual private catalog is owned by a database schema user which is different than the user who owns the recovery catalog. After creating one or more virtual private catalogs, using the directions that follow, the administrator for the recovery catalog grants each virtual private catalog the privilege to use that catalog for one or more databases that are currently registered in the recovery catalog. The administrator of the recovery catalog can also grant the privilege to register new databases while using a virtual private catalog. The basic steps for creating a virtual private catalog are as follows:

  1. Create the database user who will own the virtual private catalog (if this user does not already exist) and grant this user access privileges.

Creating and Granting Privileges to a Virtual Private Catalog Owner

This section assumes that you created the base recovery catalog. Assume that the following databases are registered in the base recovery catalog: prodb1, prodb2, and prodb3. The database user who owns the base recovery catalog is cat owner. You want to create database user vplogin1 and grant this user access privileges only to prodb1 and prodb2. By default, a virtual private catalog owner has no access to the base recovery catalog.

To create and grant privileges to a virtual private catalog owner:

  1. Start SQL*Plus and connect to the recovery catalog database with administrator privileges.
  2. If the user that will own the virtual private catalog is not yet created, then create the user.

For example, if you want to create database user vplogin1 to own the catalog, then you could execute the following command (replacing password with a user-defined password):

SQL> CREATE USER vplogin1 IDENTIFIED BY password DEFAULT TABLESPACE vpcusers QUOTA UNLIMITED ON vpcusers;

  1. Grant the RECOVERY_CATALOG_OWNER role to the database user that will own the virtual private catalog, and then exit SQL*Plus. The following example grants the role to user vplogin1:

SQL> GRANT recovery_catalog_owner TO vplogin1;

SQL> EXIT;

  1. Start RMAN and connect to the recovery catalog database as the base recovery catalog owner (not the virtual private catalog owner).The following example connects to the base recovery catalog as cat owner: % rman

RMAN> CONNECT CATALOG cat owner @catdb;

Recovery catalog database Password: password

Connected to recovery catalog database

  1. Grant desired privileges to the virtual private catalog owner. The following example gives user vplogin1 access to the metadata for prodb1 and prodb2 (but not prodb3):

RMAN> GRANT CATALOG FOR DATABASE prodb1 TO vplogin1;

RMAN> GRANT CATALOG FOR DATABASE prodb2 TO vplogin1;

You can also use a DBID rather than a database name. The virtual private catalog user does not have access to the metadata for any other databases registered in the recovery catalog. You can also grant the user the ability to register new target databases in the recovery catalog. For example:

RMAN> GRANT REGISTER DATABASE TO vplogin1;

  1. Create the virtual private catalog.

Creating a Virtual Private Catalog

This section assumes that the virtual private catalog owner has been given the RECOVERY_CATALOG_OWNER database role. Also, the base recovery catalog owner used the GRANT command to give the virtual private catalog owner access to metadata in the base recovery catalog.

 To create a virtual private catalog:

  1. Start RMAN and connect to the recovery catalog database as the virtual private catalog owner (not the base recovery catalog owner).The following example connects to the recovery catalog as vplogin1: % rman

RMAN> CONNECT CATALOG vplogin1@catdb;

  1. Create the virtual private catalog. The following command creates the virtual private catalog:

RMAN> CREATE VIRTUAL CATALOG;

  1. If you intend to use a 10.2 or earlier release of RMAN with this virtual private catalog, then execute the following PL/SQL procedure (where base_catalog_owner is the database user who owns the base recovery catalog):

SQL> EXECUTE base _ catalog _owner. DBMS _ RCVCAT. CREATE_ VIRTUAL _CATALOG;

Revoking Privileges from a Virtual Private Catalog Owner

This section assumes that you have already created a virtual private catalog. Assume that two databases are registered in the base recovery catalog: prodb1 andprodb2. As owner of the base recovery catalog, you have granted the vplogin1 user access privileges to prodb1. You have also granted this user the right to register databases in his virtual private catalog. Now you want to revoke privileges from vplogin1.

To revoke privileges from a virtual private catalog owner:

  1. Start RMAN and connect to the recovery catalog database as the recovery catalog owner (not the virtual private catalog owner).The following example connects to the recovery catalog as cat owner: % rman

RMAN> CONNECT CATALOG cat owner @catdb;

  1. Revoke specified privileges from the virtual private catalog owner. The following command revokes access to the metadata for prod1 from virtual private catalog owner vplogin1:

REVOKE CATALOG FOR DATABASE prodb1 FROM vplogin1;

You can also revoke the privilege to register new target databases in the recovery catalog. For example:

REVOKE REGISTER DATABASE FROM vplogin1;

If the recovery catalog is a virtual private catalog, then the RMAN client connecting to it must be at patch level 10.1.0.6 or 10.2.0.3. Oracle9RMAN clients cannot connect to a virtual private catalog. This version restriction does not affect RMAN client connections to an Oracle Database 11base recovery catalog, even if it has some virtual private catalog users.

Dropping a Virtual Private Catalog

This section assumes that you have already created a virtual private catalog and now want to drop it. When you drop a virtual private catalog, you do not remove the base recovery catalog itself, but only drop the synonyms and views that refer to the base recovery catalog.

To drop a virtual private catalog:

  1. Start RMAN and connect to the recovery catalog database as the virtual private catalog owner (not the base recovery catalog owner).The following example connects to the recovery catalog as user vplogin1:% rman

RMAN> CONNECT CATALOG vplogin1@catdb;

  1. Drop the catalog. If you are using an Oracle Database 11or later RMAN executable, then drop the virtual private catalog with the DROP CATALOG command:

RMAN> DROP CATALOG;

If you are using an Oracle Database 10or earlier RMAN executable, then you cannot use the DROP CATALOG command. Instead, connect SQL*Plus to the catalog database as the virtual private catalog user, then execute the following PL/SQL procedure (where base_catalog_owner is the database user who owns the base recovery catalog):

SQL> EXECUTE base_catalog_owner.DBMS_RCVCAT.DELETE_VIRTUAL_CATALOG;

View More:-

Overview of Backup Optimization

Configuring the Backup Retention Policy

RMAN Channels

 

Comments

comments

Check Also

How to switch on primary database to physical standby database

After configuration data guard then data is switching  into primary database  to standby database : …

Leave a Reply

Your email address will not be published. Required fields are marked *