Cancel
Showing results for 
Search instead for 
Did you mean: 

permission on Oracle database installation

Solution Partner Experimenter Solution Partner Experimenter
Solution Partner Experimenter

Hello,

 

Our customer has an Oracle installation instance where all third party databases are installed. We need to install Teamcenter to that instance of Oracle.

 

In the installation manual it says we need a user (infodba) with some special permissions to install Teamcenter, especially one permisson Select_Catalog_Role is a problem for them. They say it will be security risk to give this permisson to one user(in our case infodba).

 

What we want to find out is;

  • Is there any workaround, without giving this permission?
  • If we install Teamcenter on another VM on another Oracle and make an export-import from there, is this cause problems in future? Currently we are using this technique for Oracle Server migrations and restoring DB.
  • Why Teamcenter needs this special permission? (We look to GTAC for this, but it only says this permission is required. It doesn’t say anything about its usage)

 Thanks in advance.

 

5 REPLIES

Re: permission on Oracle database installation

Builder
Builder

Hello @edobg018

What I unserstand from your case:

-If you have an Oracle host and you create different instances on it then you must not have any issue as you define the Infodba to access the specific instance to teamcenter. When a database user is created, a corresponding schema of the same name is created for the user. By default, once a user connects to a database, the user has access to all objects contained in the corresponding schema. A user is associated only with the schema of the same name; therefore, the terms user and schema are often used interchangeably.

 

-if you have an Oracle instance and you want to just difine specific tablespaces to use for teamcenter, I strongly recommend you not to do this.

 

what you do is to define a specific instance for TC and assign infodba to it, then there must not be any security issue.

I hope other pro guys agree with me.

 

BR.

Re: permission on Oracle database installation

Solution Partner Experimenter Solution Partner Experimenter
Solution Partner Experimenter

Hi @JFK1963,

 

I am also looking to this issue with @edobg018 and yes it is the second case.

 

You are right that Teamcenter needs own instance with full permissions, and Siemens also says Select_Catalog_Role privelege is required if it will be installed to another DB instance. Although we've searched the documents, we can not find anything about why Teamcenter needs this permission.

 

 

 

Regards,

Çağrı

Re: permission on Oracle database installation

Builder
Builder

@Cagri

This text is a part of Security Best Practices for Database Management in Enterprise Manager:

 

Sharing credentials with the Database Monitoring User

To share credentials with the database monitoring user:

  1. Create the database account for the database monitoring user.

  2. Grant the SELECT_CATALOG_ROLE role to the database account.

  3. Create a named credential in Enterprise Manager using the database account username and password.

  4. Grant the view credential access privilege on the named credential to the database monitoring user in Enterprise Manager.

    The database monitoring user can now use the database account to log in to the database in Enterprise Manager.

Users that do not have at least the SELECT_CATALOG_ROLE role cannot log in to the database in Enterprise Manager. If the database login user does not have at least the SELECT_CATALOG_ROLE role, the following error message is displayed:

The application requires more database privileges than you have currently been granted.Click on Help 
to get more version specific information.

 

Basically it is assumed that infodba must be able to check performance. 

also read:https://arup.blogspot.com/2011/07/difference-between-select-any.html

https://hemantoracledba.blogspot.com/2014/02/the-difference-between-select-any.html

it may help

Just my thought...

 

BR.

Re: permission on Oracle database installation

Creator
Creator

Hi edobg018,

 

I assume that you are using datapump for import (impdp). For a schema level import the default mode is to grant system privileges like Select_Catalog_Role. After the import (with a privileged user like system) your infodba will have  permissions equal to your source system.

 

If you want to prevent this, you must exclude system privilege and role grants during import e.g.:

impdp system schemas=infodba dumpfile=infodba.exp Exclude=SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE

 

Oracle 11.2 Docs:

https://docs.oracle.com/cd/E11882_01/server.112/e22490/dp_export.htm#SUTIL835

 

That command assumes, that you have your infodba user pre-created with the privileges you and that customer agreed on.

 

Kind Regards

Thomas

Re: permission on Oracle database installation

Solution Partner Experimenter Solution Partner Experimenter
Solution Partner Experimenter

Hi @Tom321 and @JFK1963,

 

Import is done successfully. But during the installation of new Teamcenter Corporate server, it tries to ask version of the Oracle database. We gave select privelege to instance and after that it can fetch Oracle version and complete the setup.

 

Now we can add modules to the newly created Teamcenter without problem. Of course we are not sure about the future troubles(upgrade, migration of server etc.).

 

Thanks & Regards,

Çağrı