Our customer has an Oracle installation instance where all third party databases are installed. We need to install Teamcenter to that instance of Oracle.
In the installation manual it says we need a user (infodba) with some special permissions to install Teamcenter, especially one permisson Select_Catalog_Role is a problem for them. They say it will be security risk to give this permisson to one user(in our case infodba).
What we want to find out is;
Thanks in advance.
What I unserstand from your case:
-If you have an Oracle host and you create different instances on it then you must not have any issue as you define the Infodba to access the specific instance to teamcenter. When a database user is created, a corresponding schema of the same name is created for the user. By default, once a user connects to a database, the user has access to all objects contained in the corresponding schema. A user is associated only with the schema of the same name; therefore, the terms user and schema are often used interchangeably.
-if you have an Oracle instance and you want to just difine specific tablespaces to use for teamcenter, I strongly recommend you not to do this.
what you do is to define a specific instance for TC and assign infodba to it, then there must not be any security issue.
I hope other pro guys agree with me.
I am also looking to this issue with @edobg018 and yes it is the second case.
You are right that Teamcenter needs own instance with full permissions, and Siemens also says Select_Catalog_Role privelege is required if it will be installed to another DB instance. Although we've searched the documents, we can not find anything about why Teamcenter needs this permission.
This text is a part of Security Best Practices for Database Management in Enterprise Manager:
Sharing credentials with the Database Monitoring User
To share credentials with the database monitoring user:
Create the database account for the database monitoring user.
Grant the SELECT_CATALOG_ROLE role to the database account.
Create a named credential in Enterprise Manager using the database account username and password.
Grant the view credential access privilege on the named credential to the database monitoring user in Enterprise Manager.
The database monitoring user can now use the database account to log in to the database in Enterprise Manager.
Users that do not have at least the SELECT_CATALOG_ROLE role cannot log in to the database in Enterprise Manager. If the database login user does not have at least the SELECT_CATALOG_ROLE role, the following error message is displayed:
The application requires more database privileges than you have currently been granted.Click on Help
to get more version specific information.
Basically it is assumed that infodba must be able to check performance.
it may help
Just my thought...
I assume that you are using datapump for import (impdp). For a schema level import the default mode is to grant system privileges like Select_Catalog_Role. After the import (with a privileged user like system) your infodba will have permissions equal to your source system.
If you want to prevent this, you must exclude system privilege and role grants during import e.g.:
impdp system schemas=infodba dumpfile=infodba.exp Exclude=SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE
Oracle 11.2 Docs:
That command assumes, that you have your infodba user pre-created with the privileges you and that customer agreed on.
Import is done successfully. But during the installation of new Teamcenter Corporate server, it tries to ask version of the Oracle database. We gave select privelege to instance and after that it can fetch Oracle version and complete the setup.
Now we can add modules to the newly created Teamcenter without problem. Of course we are not sure about the future troubles(upgrade, migration of server etc.).
Thanks & Regards,