tivoli manager for oracle** - ibmpublib.boulder.ibm.com/tividd/td/oracle2/gc31-5113... ·...

Tivoli Manager for Oracle**User Management GuideVersion 2.0

Tivoli Manager for Oracle** User Management Guide (December 2000)

Copyright Notice

© Copyright IBM Corporation 2000 All rights reserved. May only be used pursuant to a TivoliSystems Software License Agreement, an IBM Software License Agreement, or Addendum forTivoli Products to IBM Customer or License Agreement. No part of this publication may bereproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computerlanguage, in any form or by any means, electronic, mechanical, magnetic, optical, chemical,manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporationgrants you limited permission to make hardcopy or other reproductions of any machine-readabledocumentation for your own use, provided that each such reproduction shall carry the IBMCorporation copyright notice. No other rights under copyright are granted without prior writtenpermission of IBM Corporation. The document is not intended for production and is furnished“as is” without warranty of any kind. All warranties on this document are hereby disclaimed,including the warranties of merchantability and fitness for a particular purpose.

U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSAADP Schedule Contract with IBM Corporation.

Trademarks

IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, Planet Tivoli,RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Ready, and TME are trademarks or registeredtrademarks of International Business Machines Corporation or Tivoli Systems Inc. in the UnitedStates, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Oracle is a registered trademark of Oracle Corporation.

Other company, product, and service names may be trademarks or service marks of others.Notices

References in this publication to Tivoli Systems or IBM products, programs, or services do notimply that they will be available in all countries in which Tivoli Systems or IBM operates. Anyreference to these products, programs, or services is not intended to imply that only TivoliSystems or IBM products, programs, or services can be used. Subject to valid intellectualproperty or other legally protectable right of Tivoli Systems or IBM, any functionally equivalentproduct, program, or service can be used instead of the referenced product, program, or service.The evaluation and verification of operation in conjunction with other products, except thoseexpressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systemsor IBM may have patents or pending patent applications covering subject matter in thisdocument. The furnishing of this document does not give you any license to these patents. Youcan send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, NorthCastle Drive, Armonk, New York 10504-1785, U.S.A.

Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiWho Should Read This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Prerequisite and Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

What This Document Contains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Conventions Used in this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Using the Desktop or CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Chapter 1. Overview of User Management . . . . . . . . . . . . . . . 1Policy-based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Management-by-subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

About the Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

About the Validation Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Profile Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Setting up Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Setting Up Managed Resource Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Adding or Removing a Resource Type Using the Desktop . . . . . . . . . . . 6

Adding or Removing a Resource Type Using the Command Line. . . . . . 8

Creating Profile Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Creating a Profile Manager Using the Desktop. . . . . . . . . . . . . . . . . . . . 9

Creating a Profile Manager Using the Command Line . . . . . . . . . . . . . 10

Creating Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating a Profile Using the Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating a Profile Using the Command Line . . . . . . . . . . . . . . . . . . . . 13

Adding Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Adding a Subscriber Using the Desktop. . . . . . . . . . . . . . . . . . . . . . . . 14

iiiTivoli Manager for Oracle** User Management Guide

Chapter 3. Setting Up Profile Policies. . . . . . . . . . . . . . . . . . . 17Defining the Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Defining the Attribute Defaults Using the Desktop . . . . . . . . . . . . . . . . 18

Selecting the Default Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Defining the Attribute Defaults Using the Command Line . . . . . . . . . . 25

Defining the Validation Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Defining the Attribute Validations Using the Desktop . . . . . . . . . . . . . . 26

Selecting the Default Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Defining the Attribute Validations Using the Command Line . . . . . . . . 32

Validating Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Validating a Profile Using the Desktop. . . . . . . . . . . . . . . . . . . . . . . . . 33

Validating a Profile Using the Command Line . . . . . . . . . . . . . . . . . . . 33

Chapter 4. Managing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Relabeling Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Populating Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Populating a User, Role, or Resource Profile Using the Desktop. . . . . . 36

Protecting Predefined Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Populating a User, Role, or Resource Profile Using the Command Line 39

Listing User, Role, or Resource Information. . . . . . . . . . . . . . . . . . . . . . . . . 39

Locking and Unlocking Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Distributing Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Distributing a Specific Profile Using the Desktop. . . . . . . . . . . . . . . . . 42

Distributing All Profiles Using the Desktop . . . . . . . . . . . . . . . . . . . . . 43

Distributing Profiles Using Shortcuts from the Desktop . . . . . . . . . . . . 44

Distributing Profiles Using the Command Line . . . . . . . . . . . . . . . . . . 45

Getting a New Copy of a Profile Using the Desktop . . . . . . . . . . . . . . 45

Setting Distribution Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Scheduling a Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

iv Version 2.0

Setting the Retry, Cancel, and Restrictions Options . . . . . . . . . . . . . . . 49

Deleting Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Deleting a Profile Using the Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Deleting a Profile Using the Command Line . . . . . . . . . . . . . . . . . . . . 51

Chapter 5. Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Adding User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Adding a User Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . . 54

Adding a User Record Using the Command Line. . . . . . . . . . . . . . . . . 57

Setting Other User Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Setting the Default and Temporary Tablespace . . . . . . . . . . . . . . . . . . . 58

Setting and Clearing Default Values. . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Granting Roles to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Granting System Privileges to Users . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Setting Tablespace Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Setting Object Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Viewing Granted Object Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Editing User Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Editing a User Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . . 72

Editing a User Record Using the Command Line . . . . . . . . . . . . . . . . . 73

Editing Multiple User Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Editing Multiple User Records Using the Desktop . . . . . . . . . . . . . . . . 74

Editing Multiple User Records Using the Command Line. . . . . . . . . . . 80

Copying User Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Copying a User Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . 80

Copying a User Record Using the Command Line . . . . . . . . . . . . . . . . 82

Moving User Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Moving a User Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . . 82

Moving a User Record Using the Command Line . . . . . . . . . . . . . . . . 84

vTivoli Manager for Oracle** User Management Guide

Deleting User Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Deleting a User Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . 84

Deleting a User Record Using the Command Line . . . . . . . . . . . . . . . . 85

Setting the Tablespace List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 6. Managing Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Adding Role Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Adding a Role Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . . 88

Adding a Role Record Using the Command Line. . . . . . . . . . . . . . . . . 92

Setting Other Role Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Setting and Clearing Default Values. . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Granting Roles to Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Granting System Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Editing Role Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Editing a Role Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . . 98

Editing a Role Record Using the Command Line . . . . . . . . . . . . . . . . . 98

Copying Role Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Copying a Role Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . 99

Copying a Role Record Using the Command Line . . . . . . . . . . . . . . . 100

Moving Role Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Moving a Role Record Using the Desktop . . . . . . . . . . . . . . . . . . . . . 101

Moving a Role Record Using the Command Line . . . . . . . . . . . . . . . 102

Deleting Role Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Deleting a Role Record Using the Desktop . . . . . . . . . . . . . . . . . . . . 102

Deleting a Role Record Using the Command Line . . . . . . . . . . . . . . . 103

Searching and Sorting the Role Database . . . . . . . . . . . . . . . . . . . . . . 103

Chapter 7. Managing Resources . . . . . . . . . . . . . . . . . . . . . . . 109Adding Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

vi Version 2.0

Adding a Resource Record Using the Desktop . . . . . . . . . . . . . . . . . . 110

Setting and Clearing Default Values . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Adding a Resource Record Using the Command Line . . . . . . . . . . . . 115

Editing Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Editing a Resource Record Using the Desktop . . . . . . . . . . . . . . . . . . 116

Editing a Resource Record Using the Command Line. . . . . . . . . . . . . 117

Editing Multiple Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Editing Multiple Resource Records Using the Desktop . . . . . . . . . . . . 118

Editing Multiple Resource Records Using the Command Line . . . . . . 126

Copying Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Copying a Resource Record Using the Desktop . . . . . . . . . . . . . . . . . 126

Copying a Resource Record Using the Command Line. . . . . . . . . . . . 128

Moving Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Moving a Resource Record Using the Desktop. . . . . . . . . . . . . . . . . . 128

Moving a Resource Record Using the Command Line . . . . . . . . . . . . 130

Deleting Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Deleting a Resource Record Using the Desktop . . . . . . . . . . . . . . . . . 130

Deleting a Resource Using the Command Line . . . . . . . . . . . . . . . . . 131

Appendix A. Running Command Line Programs. . . . . . 133Running Tivoli Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Running Tivoli Commands on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . 134

Running Tivoli Commands on Windows NT . . . . . . . . . . . . . . . . . . . 134

Where to Find Additional Information about Shells . . . . . . . . . . . . . . 135

Establishing the Tivoli Environment within a Shell. . . . . . . . . . . . . . . 135

Tivoli Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

List of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

wocpresource. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

wocprole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

viiTivoli Manager for Oracle** User Management Guide

wocpuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

wocrtresource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

wocrtrole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

wocrtuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

wocryptpw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

wodelresource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

wodelrole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

wodeluser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

wogetresource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

wogetrole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

wogetuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

wolsresources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

wolsroles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

wolsusers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

womvresource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

womvrole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

womvuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

wopopresources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

wopoproles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

wopopusers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

wosetresource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

wosetresources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

wosetrole. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

wosetroles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

wosetuser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

wosetusers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

viii Version 2.0

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

ixTivoli Manager for Oracle** User Management Guide

x Version 2.0

Preface

This document describes how to use the Tivoli Manager for OracleUser Management application to manage Oracle user, role, andresource profiles (called, respectively, OracleUserManagerProfile,OracleRoleManagerProfile, and OracleResourceManagerProfileprofiles) for any number of Oracle databases.

Note: Refer to the Tivoli Manager for Oracle User’s Guide forinstallation instructions.

Who Should Read This DocumentThis document is intended for system administrators and databaseadminstrators. It describes the concepts you should know toeffectively use Tivoli Manager for Oracle User Management.Readers of this document should have some knowledge of thefollowing:

¶ Windows NT® or UNIX® operating systems

¶ Tivoli Enterprise Console® software

¶ Oracle® database administration

Prerequisite and Related DocumentsThe Tivoli Manager for Oracle User’s Guide contains informationabout database and instance management using Tivoli Manager forOracle and how it is integrated into Tivoli Enterprise software. Thisdocument is also required for installing the Tivoli Manager forOracle User Management application.

The Tivoli Manager for Oracle Reference Guide containsinformation about using distributed monitoring to manage Oracledatabases.

The Tivoli Management Framework Planning and Installation Guideprovides information on Tivoli Management Region (TMR) serverand client hardware requirements.

xiTivoli Manager for Oracle** User Management Guide

The Tivoli Management Framework Reference Manual describescommand line interface (CLI) commands and the default andvalidation policies for Tivoli Management Framework components.

The Tivoli Management Framework Reference Manual describescommand line interface (CLI) commands and the default andvalidation policies for Tivoli Management Framework components.

For more information about Oracle, refer to the productdocumentation produced and distributed by the Oracle Corporation.

What This Document ContainsThis document contains the following sections:

¶ “Overview of User Management” on page 1

Describes Tivoli concepts relevant to the Tivoli Manager forOracle User Management application, which includespolicy-based management and management-by-subscription.

¶ “Setting up Profiles” on page 5

Describes how to create profile managers, profiles andsubscribers.

¶ “Setting Up Profile Policies” on page 17

Describes how to set up default and validation policies in aprofile.

¶ “Managing Profiles” on page 35

Describes how to populate, distribute, and delete profiles, andcopy, move, and lock profile records.

¶ “Managing Users” on page 53

Describes how to add, edit, and drop users in a profile.

¶ “Managing Roles” on page 87

Describes how to add, edit, and drop roles in a profile.

¶ “Managing Resources” on page 109

Describes how to add, edit, and drop resource profiles in aprofile.

xii Version 2.0

¶ “Running Command Line Programs” on page 133

Tivoli Manager for Oracle User Management contains programsthat can be run from the command line. This appendix describeshow to operate those programs.

Conventions Used in this DocumentThis document uses several conventions for special terms andactions. These conventions have the following meanings:

User When used alone, the word user refers to theOracleUserManagerProfile managed resource type.

Role When used alone, the word role refers to theOracleRoleManagerProfile managed resource type.

Resource When used alone, the word resource refers to theOracleResourceManagerProfile managed resourcetype.

Bold Commands and other information that you mustclick, type, select, or press appear in bold.

Italics Variables and new terms appear in italics. Words andphrases that are emphasized also appear in italics.

Monospace Code examples, output, and system messages appearin a monospaced font.

Using the Desktop or CLIThis manual provides procedures for executing Tivoli commandsfrom either the Tivoli desktop or the command line interface. TheTivoli desktop is a graphical user interface that uses visual inputprompting, drop-down lists, and option buttons for setting andexecuting commands.

To open the Tivoli Desktop, double-click the Tivoli icon from theTivoli program group, or select Programs → Tivoli → Tivoli from theWindows Start menu. Log in to Tivoli.

xiiiTivoli Manager for Oracle** User Management Guide

To run Tivoli commands from the command line interface, refer to“Running Command Line Programs” on page 133.

Contacting Customer SupportIf you encounter difficulties with any Tivoli products, you can enterhttp://www.support.tivoli.com to view the Tivoli Support homepage. After you link to and submit the customer registration form,you will be able to access many customer support services on theWeb.

Use the following phone numbers to contact customer support in theUnited States: the Tivoli number is 1-800-848-6548(1-800-TIVOLI8), and the IBM number is 1-800-237-5511 (press orsay 8 after you reach this number). Both of these numbers directyour call to the Tivoli Customer Support Call Center.

We are very interested in hearing from you about your experiencewith Tivoli products and documentation. We welcome yoursuggestions for improvements. If you have comments or suggestionsabout this documentation, please send e-mail to [email protected].

xiv Version 2.0

Overview of User Management

Tivoli Manager for Oracle User Management enables anadministrator to manage user, role, and resource definitions acrossmultiple databases.

A user, as defined in the Tivoli Manager for Oracle UserManagement environment, is anyone defined in a Tivoli DatabaseUser Profile or Oracle database. Users can be assigned roles, whichdefine the Oracle database privileges, and resources, which definethe limitations and restrictions that apply to a user’s Oracle session,such as the number of concurrent sessions the user can establish, theamount of CPU processing time that can be assigned to one session,and how long a session can be idle before it is disconnected, as wellas password restrictions.

The key concepts that are described in this chapter include thefollowing:

¶ Policy-based management

¶ Management-by-subscription

Note: The information in this document pertains only to usermanagement. For details on registering and managing Oracledatabases, refer to the Tivoli Manager for Oracle User’sGuide.

1

1Tivoli Manager for Oracle** User Management Guide

1.O

verviewo

fU

serM

anag

emen

t

Policy-based ManagementPolicy-based management refers to the grouping of resources(people, and equipment) based on the policies (rules) that determinehow they will interact with each other. Policy-based usermanagement is used to group Oracle database resources into entitiescalled policy regions. Policy regions are hierarchically structuredgroupings that conform to the structures of an organization. Forexample a department, job function, or geographic region can begrouped into a policy region.

A policy region is represented on the Tivoli desktop by an icon thatresembles a capitol building (dome icon). When a TivoliManagement Region (TMR) is created, a policy region with thesame name is also created. A TMR addresses the physicalconnectivity of resources, whereas a policy region addresses thelogical organization of resources

Tivoli Manager for Oracle User Management ships with a built-in“Best Practices” policy for each managed resource. These policiesprovide preconfigured settings that were defined by Oracle expertsfor monitoring database servers. Refer to the Tivoli Manager forOracle User’s Guide for more information.

Management-by-subscriptionTivoli incorporates management-by-subscription to enable you tocapture, define, and distribute Oracle configuration information in aseries of logically organized profiles. A profile contains data thatdescribes the significant characteristics and policies of users, roles,and resources. For example, you can group and define all of youradministration personnel into one Oracle user profile called Admin.Within this user profile, you might have hundreds of users (userrecords). As you add, delete, or update these records, you can thendistribute this information to all Oracle databases that subscribe tothe profile, thus the term management-by-subscription. Ultimately,these distributions define the data in the profile at the databases.

2 Version 2.0

Tivoli incorporates both default and validation policies that ensurethat any changes made to Oracle users, roles, and resources conformto your current policy constraints.

About the Default PolicyYou can set default and validation policies for each profile. A defaultpolicy enables you to set initial values for each attribute in a profilethat will be applied automatically when new records are created in aprofile. For example, you can set a default value for the user’stemporary tablespace attribute, and when a new user is created, thisattribute will already be set to the value that you defined as thedefault.

About the Validation PolicyA validation policy verifies that a profile record complies with thepolicies you set and prevents records with invalid values from beingcreated. The validation policy will run when you populate a profile,add a new profile record, or explicitly request validation. You canenable or disable a validation policy within a profile.

When setting validation policies for attributes, you can define themas either Script or Constant values. If the policy is set to Script, theuser can only define the value as a shell script (also called the scriptbody). If the policy is set to Constant, the only allowable valuesdepend on the attribute and are set as string representations of theinterface definition language (IDL) structure. IDL is a declarativelanguage in the Common Object Request Broker Architecture, whichdefines the object interfaces.

Profile DistributionThe profiles that you create are managed by profile managers.Profile managers are used to distribute or define profile records tothe subscribing Oracle databases.

When you create new profile records, you must distribute them sothat they will be added to your Oracle database. It is important todistinguish between the records in the Tivoli Manager for OracleUser Management profile and the records in an Oracle database. The


1.O

verviewo

fU

serM

anag

emen

t

changes you make to the profile managers will not be reflected inthe Oracle database until they have been distributed

4 Version 2.0

Setting up Profiles

This chapter describes how to set up and manage the profiles(groupings of user, role, and resource records) for each policy regionthat you define.

Because the concepts described in this chapter apply equally to user,role, and resource profiles, only the user profile will be used in theexamples. This chapter describes the following tasks:

¶ Setting up managed resource types

¶ Creating profiles

¶ Adding subscribers

¶ Removing subscribers

Setting Up Managed Resource TypesEach policy region contains a list of managed resource types that canbe defined. Managed resource types refer to the type of resourceavailable in a policy region. You can define the following managedresource types:

¶ OracleUserManagerProfile creates Oracle database users(people who use Oracle) that are distributed to theOracleDatabaseManager endpoint.

¶ OracleRoleManagerProfile creates Oracle roles (Oracledatabase tasks) that are distributed to theOracleDatabaseManager endpoint.

2


2.S

etting

up

Pro

files

¶ OracleResourceManagerProfile creates Oracle resources(hardware and processes) that are distributed to theOracleDatabaseManager endpoint.

You can add or remove managed resource types at any time. Tocreate and manage each type of Tivoli Manager for Oracle UserManagement profile within a policy region, you must set the relevantmanaged resource type as a current resource in the region. Tivolimanaged resource types are independent of each other, so they canexist together or in separate policy regions.

When you add a managed resource type to a policy region, Tivoliassigns the managed resource type the basic default policy of thatpolicy region, but you can create new instances of the managedresource in the policy region.

The context and authorization role required to add or remove amanaged resource type for a policy region is senior. You canperform this task from either the Tivoli desktop or the commandline.

Adding or Removing a Resource Type Using theDesktop

You can add managed resource types to a policy region by using theTivoli Desktop.

To add or remove a resource type, complete the following steps:

6 Version 2.0

1. Double-click the policy region icon to open the Policy Regionwindow.

2. Select Properties → Managed Resources to open the SetManaged Resources dialog box. The Current Resources listdisplays current managed resource types for the policy region.The Available Resources list displays the managed resourcetypes that you can add to the policy region.

3. From the Available Resources list, select either theOracleResourceManagerProfile, OracleRoleManagerProfile,or OracleUserManagerProfile. To select multiple resource


2.S

etting

up

Pro

files

types, click a resource type then press and hold the Shift keywhile selecting other types (press the Ctrl key to selectnon-contiguous entries).

4. To add the selected managed resource types, click the left arrowbutton to move them to the Current Resources list. You canachieve the same result by double-clicking on an entry.

—OR—

To remove a managed resource type from the policy region,select one or more managed resource types from the CurrentResources list, and click the right arrow button. The selectedtypes are moved to the Available Resources list.

5. Click the Set button to save the resource. You may add otherresources.

—OR—

Click the Set & Close button to save the resource and close thedialog box.

After adding the types to the policy region, you must create a ProfileManager before creating the specific resource records. Refer to“Creating Profile Managers” on page 8 for details.

Adding or Removing a Resource Type Using theCommand Line

Use the wsetpr command to add or remove the managed resourcetypes of a policy region. Refer to the Tivoli Management FrameworkReference Manual.

Creating Profile ManagersA profile manager controls the relationship between a profile and thesubscribing databases. Profile managers enable you to group recordsinto profiles so that they can be distributed to subscribers across anetwork or across a specified portion of a network.

After you create a profile manager, you can create the followingTivoli Manager for Oracle User Management profile types:OracleUserManagerProfile, OracleRoleManagerProfile, or

8 Version 2.0

OracleResourceManagerProfile. Tivoli administrators can then usethe profile managers to organize and distribute the profiles toOracleDatabaseManager subscribers.

The context and authorization role required for creating a profilemanager is senior. You can perform this task from either the Tivolidesktop or the command line.

Creating a Profile Manager Using the DesktopYou must open the Policy Region window to create a new profilemanager. These instructions assume that the Policy Region windowis open.

To create a profile manager, complete the following steps:

1. Select Create → ProfileManager to display the Create ProfileManager dialog box.

2. Type a name for the new Profile Manager in the Name/IconLabel text box.

The name of a Tivoli resource such as a profile manager caninclude any alphanumeric character, an underscore (_), a dash (-),or a period (.).

3. Select the Dataless Endpoint Mode option if the profilemanager will also contain Tivoli Management Agent endpoints.Deselect the Dataless Endpoint Mode option if the profilemanager will not also contain Tivoli Management Agent


2.S

etting

up

Pro

files

endpoints. Also deselect the Dataless Endpoint Mode option ifthe profile manager will contain other profile managers.

Note: Tivoli Manager for Oracle 2.0 profile endpoints(OracleDatabaseManager and OracleInstanceManager)may be subscribed to either database or dataless profilemanager.

4. Click the Create button to create the profile manager. You cancreate additional profile managers by repeating steps 2 and 3.

—OR—

Click the Create & Close button to create the profile managerand close the Create Profile Manager window.

Tivoli displays the new profile manager in the Policy Regionwindow. Now you can create the profiles where you will groupyour records.

Creating a Profile Manager Using the Command LineUse the wcrtprfmgr command to create a profile manager. Refer tothe Tivoli Management Framework Reference Manual for moreinformation.

10 Version 2.0

Creating ProfilesAt this time you should have already defined a policy region and aprofile manager. You can create multiple groupings of users, roles,and resources. The user profile should contain all records for personsin your Oracle databases. The role profile should contain all recordsfor the tasks that can be completed in your Oracle databases. Andthe resource profile should contain the hardware and processes inyour Oracle databases. There is no limit to the number of profilesthat can be created in each profile manager.

The context and authorization role required for creating profiles issenior. You can perform this task from either the Tivoli desktop orthe command line.

Creating a Profile Using the DesktopYou should have already created a policy region and profile managerwhere the profiles will reside.

To create a profile, complete the following steps:

1. Double-click the profile manager icon to open the ProfileManager window.

—OR—

Right-click the profile manager icon, and click Open. TheProfile Manager window is displayed.


2.S

etting

up

Pro

files

2. From the Profile Manager window, select Create → Profile todisplay the Create Profile dialog box.

3. From the Type list, click OracleResourceManagerProfile,OracleRoleManagerProfile, or OracleUserManagerProfile tocreate the profile. The managed resource type that you previouslyadded to your policy region determine the types of profilesavailable in the Type list. You should have defined these earlieras described in “Adding or Removing a Resource Type Using theDesktop” on page 6.

4. Type a name for the profile in the Name/Icon Label text box.Within a profile manager, each Oracle profile must have a uniquename. For example, you can create a profile called South_Texasfor your sales agents in southern Texas, but you cannot create asecond profile called South_Texas. You can group your profilesto logically represent your organization.

5. Click the Create button to create the profile. You can createmore profiles by repeating steps 3 and 4.

—OR—

Click Create & Close to create the profile and close the CreateProfile window

12 Version 2.0

A new icon representing the profile is displayed in the ProfileManager window. A distinct icon represents each profile type;the name of the profile is below the icon.

The following icons represent the user, role, and resource profiletypes:

OracleUserManagerProfile Icon

OracleRoleManagerProfile Icon

OracleResourceManagerProfile Icon

Creating a Profile Using the Command LineUse the wcrtprf command to create profiles in a profile manager.Refer to the Tivoli Management Framework Reference Manual formore information.

Adding SubscribersA subscriber is a profile endpoint, such as a OracleDatabaseManageror OracleInstanceManager resource, or a profile manager thatreceives profile records from a profile manager.

When you add an OracleDatabaseManager or OracleInstanceManagersubscriber to a profile manager, the subscriber will be the recipientof profile information defined in the profile manager. To define theOracle user, role or resource profile information to the TivoliManager for Oracle profile endpoints, you must distribute the profileto the profile manager subscriber.

For Tivoli Manager for Oracle User Management, only profilemanagers and OracleDatabaseManager and OracleManagerAsync


2.S

etting

up

Pro

files

resources may be subscribers to the OracleUserManagerProfile,OracleRoleManagerProfile and OracleResourceManagerProfileprofile distributions.

The context and authorization role required for adding subscribers isadmin. You can perform this task from either the Tivoli desktop orthe command line.

Adding a Subscriber Using the DesktopTo add a subscriber to a profile manager, complete the followingsteps:

1. From the Policy Region window, right-click the profile managericon, and click the Subscribers button to open the ProfileManager window.

—OR—

Double-click the profile manager icon from the Policy Regionwindow to open the Profile Manager window.

2. Select Profile Manager → Subscribers. The Subscribers dialogbox is displayed.

3. Select one or more subscribers from the Available to becomeSubscribers list.

14 Version 2.0

Note: You may need to use the Browse button to find asubscriber.

This dialog box contains a list of all profile managers and Oracledatabases that can subscribe to the current profile manager.

4. Once you have selected the subscribers, click the left arrowbutton to move your selections from the Available list to theCurrent Subscribers list.

5. To add the subscriber, click the Set Subscriptions buttons. Youmay add other subscribers by repeating steps 3 and 4.

—OR—

Click the Set Subscriptions & Close button to add thesubscribers to the profile manager and close the Subscribersdialog box. Notice that the new subscription is displayed in the


2.S

etting

up

Pro

files

Profile Manager window.

16 Version 2.0

Setting Up Profile Policies

This chapter describes how to set up the profile policies that governyour user, role, and resource profiles (called, respectively,OracleUserManagerProfile, OracleRoleManagerProfile, andOracleResourceManagerProfile). A policy is made up of all therules that control the profile. These rules are defined attributes thatcontain a specific value. This value can either be a default(automatically preset) or a validation (verifies entry complies) value.

This chapter describes how to set up the policies or rules that governyour resources. It contains the following topics:

¶ Defining the default policy

¶ Defining the validation policy

¶ Validating profiles

Note: Although these instructions can be applied to each type ofprofile, only the OracleUserManagerProfile profile policy isused in the step examples.

Defining the Default PolicyAdministrators may need to set a default policy to define an initialset of values that are automatically set for attributes of a profilerecord. Default values ensure that all new records created willcontain the appropriate value as defined by the administrator. It isimportant to note that the default policy only affects the profilerecords; it does not affect the Oracle database system catalogs.

3


3.S

etting

Up

Pro

fileP

olicies

To set the default policy for all profile records, you must define thepolicy for each type of profile (OracleUserManagerProfile,OracleRoleManagerProfile, or OracleResourceManagerProfile).

The administrator can also lock the default policy for an attribute toprevent subscribers from changing the value in their local copies ofthe distributed profiles.

The context and authorization role required for setting or editing thedefault policy is senior. You can perform this task from either theTivoli desktop or the command line.

Defining the Attribute Defaults Using the DesktopThe following steps describe how to define the attributes that areassigned default policies. The profile policy is applied to each profilewithin a profile manager. If you do not have a profile manager orprofile set up, refer to “Setting up Profiles” on page 5 for moreinformation.

To define the attribute defaults, complete the following steps:

1. From the Policy Region window, double-click the profilemanager icon to display the profile manager window.

2. Double-click the profile icon to display the corresponding profilewindow.

—OR—

18 Version 2.0

Right-click the profile icon and choose Edit Properties todisplay the corresponding profile window.

3. From the profile window, select Edit → Default Policies todisplay the Edit Default Policies dialog box.


3.S

etting

Up

Pro

fileP

olicies

The Attributes list displays all available attributes for theselected profile; however, you do not have to define a defaultpolicy for each attribute. If you do not, the Tivoli default ofNone, or no default, will be applied to each new record that iscreated.

20 Version 2.0

4. From the Attributes list, select the attribute for which you willset a default policy.

5. Select the No option in the Subscriber’s can edit area toprevent subscribers from changing the attribute or select the Yesoption to allow them to change the attribute.

6. Select the Default Type as described in the next section.

Selecting the Default TypeThe default type option allows you to select the type of value thatwill be accepted for that attribute when an entry is created. If a userattempts to define a value not defined as valid, the attribute valuewill not be accepted. The options that can be selected are None,Constant, or Script.

The None type means that no default policy will be applied to thatattribute and anything will be accepted as a valid value. TheConstant type means that the only acceptable value for that attributeshould equal the string value that you define as the default. TheScript type means that only a shell script (also called the scriptbody) value will be accepted for that attribute.

To set the default type for an attribute complete the following steps:


3.S

etting

Up

Pro

fileP

olicies

1. Click the Default Type box and select None, Constant, orScript.

2. If you selected Constant, go to Step 3.

—OR—

If you selected Script, go to Step 4.

3. Type a string value in the Value text box. The Constant valuesthat are allowable for each attribute are listed in the followingtable:

Valid Constant Formats for OracleUserManagerProfile, OracleRoleManagerProfile,and OracleResourceManagerProfile Profiles

Profile Type Attribute Syntax Example

OracleUser-ManagerProfile

DefaultTablespace

Tablespace Name USERS


TemporaryTablespace

Tablespace Name TEMP


OracleResource-ManagerProfileProfile

Name LIMITCPU

22 Version 2.0

Valid Constant Formats for OracleUserManagerProfile, OracleRoleManagerProfile,and OracleResourceManagerProfile Profiles

Profile Type Attribute Syntax Example

OracleUser-ManagerProfile orOracleRole-ManagerProfile

Roles {Count_of[{privilege_nameis_grantableis_default_role}] ...}

{2 {"CONNECT" FALSETRUE} {"RESOURCE"FALSE TRUE}}

OracleUser-ManagerProfile orOracleRole-ManagerProfile

System Privileges {Count_of[{privilege_nameis_grantable}] ...}

{2 {"SELECT ANYTABLE" TRUE}{"CREATE TABLE"FALSE}}


Object Privileges {Count_of [{granteeprivilege_name{column_count[column] ... }schema_name objectis_grantable}] ... }

{1 {"ACCOUNTS""UPDATE" {2 "SAL""COMM"} "SCOTT""EMP" FALSE}}


Quotas {Count_of[{tablespace_nameis_limited limit_value}]... }

{2 {"USERS" TRUE512000} {"TEMP"FALSE 0}}

OracleResource-ManagerProfile

Name OracleResource-ManagerProfile profilename

LIMIT_CPU

OracleResource-ManagerProfile

CompositeLimit-SessionsPerUser

CPUPerCallLogicalReads-PerCall

IdleTime

CPUPerSessionLogicalReads-PerSession

ConnectTime

PrivateSGA

{limit_type limit_value} {LIMITED 3000}{UNLIMITED 0}


3.S

etting

Up

Pro

fileP

olicies

4. The Edit Script Arguments and Edit Script Body buttons aredisplayed. To select script arguments, click the Edit ScriptArguments button and go to Step 5.

—OR—

To write a script for defining the arguments, select the scriptarguments as described in Step 5 then go to Step 6.

5. To select the script arguments, click the Edit Script Argumentsbutton to display the Policy Script Arguments dialog box.

a. From the Attributes list, select the attribute for which youwill create an argument.

b. Click the right arrow button to add it to the ScriptArguments list. These are the attributes that are validdefaults

6. Click the Edit Script Body button to display the Edit PolicyScript dialog box.

a. In the text window, type the policy script for the selectedattributes.

24 Version 2.0

b. Click the Set & Close button to save the script and close thedialog box.

7. To save all attribute values that you have defined, click the Setbutton or click the Reset button to enter new values.

Note: You cannot reset values after clicking the Set button. Youmust manually enter a new value to reset it.

8. Click the Close button to close the Edit Default Policieswindow.

After the policy is created, you must distribute the profile to thesubscribers for the policy to take effect each subscriber’s local copyof the profile. See “Distributing Profiles” on page 41 for moreinformation. The default policy only affects the profile records; itdoes not affect the Oracle database’s system catalogs.

Defining the Attribute Defaults Using the CommandLine

Use the wlspolm, wsetpolm, and wputpolm commands to examineand set default policy. Refer to the Tivoli Management FrameworkReference Manual for more information.


3.S

etting

Up

Pro

fileP

olicies

Defining the Validation PolicyIf validation policy is enabled, Tivoli will execute validation whenyou populate a profile, add a new entry, or explicitly requestvalidation. Tivoli uses the validation policy to verify that a profileentry complies with set policy and prevents an entry that does notmeet validation policy from being created. The user creating theinvalid record will receive an error message explaining whyvalidation failed, and the record will not be created.

The validation you set for each attribute can be locked to preventsubscribers from changing it on their local copies.

The context and authorization role required for setting or editing thevalidation policy is senior. You can perform this task from either theTivoli desktop or the command line.

Defining the Attribute Validations Using the DesktopThe policy will be applied to the profile (OracleUserManagerProfile,OracleRoleManagerProfile, or OracleResourceManagerProfile). Ifyou do not have a profile manager or profile set up, refer to “Settingup Profiles” on page 5 for more information

To define the attribute validations, complete the following steps:

1. From the Policy Region window, double-click the profilemanager where you will define the policy.

2. Double-click the profile icon to display the corresponding profilewindow.

—OR—

Right-click the profile icon, and choose Edit Properties to displaythe profile window.

26 Version 2.0

3. From the profile window, select Edit → Validation Policies todisplay the Edit Validation Policies dialog box.

4. To turn off validation for all attributes in this profile, select theDisabled option next to Validation Policy. To set a validationpolicy for one or more attributes, select Enabled.

5. To set a validation policy, select an attribute from the Attributeslist. The Attributes list displays all available attributes for theselected profile; however, you do not have to define a validationpolicy for each attribute. If you do not, the Tivoli default ofNone, or no validation, will be applied to each new record that is


3.S

etting

Up

Pro

fileP

olicies

created.

6. To prevent subscribers from changing the validation, select theNo option. To allow them to modify it, select the Yes option.

7. Select the Default Type as described below.

Selecting the Default TypeThe default type option allows you to select the type of validationthat will be applied to an attribute when an entry is created. Theoptions that can be selected are None, Constant, Script, or RegularExpression.

The None type means that no default policy will be applied to thatattribute and anything will be accepted as a valid value. TheConstant type means that the only acceptable value for that attributeshould equal the string value entered as the default. The Script typemeans that only a shell script (also called the script body) value willbe accepted for that attribute. The Regular Expression type meansthat only acceptable value for that attribute should equal the shell orPerl expression entered as the default.

To select the default type, complete the following steps:

28 Version 2.0

1. Click the Default Type box, and select either None, Constant,Script, or Regular Expression.

2. If you selected Constant, go to Step 3.

—OR—

If you selected Script, go to Step 4.

—OR—

If you selected Regular Expression, go to Step 7.

3. Type a string value in the Value text box. The Constant valuesthat are allowable for each attribute are listed in step 3.

4. The Edit Script Arguments and Edit Script Body buttons aredisplayed. To select script arguments, click the Edit ScriptArguments button and go to Step 5.

—OR—

To write a script for defining the arguments, select the scriptarguments as described in Step 5 then go to Step 6.

5. To select the script arguments, click the Edit Script Argumentsbutton to display the Policy Script Arguments dialog box.


3.S

etting

Up

Pro

fileP

olicies

a. From the Attributes list, select the attribute for which youwill set a validation policy.

b. Click the right arrow button to add it to the ScriptArguments list. These are the attributes that can be used inscript arguments. If you will be manually entering bodyscript, you must select the arguments here or they will not berecognized in the body script.

6. To manually enter policy script, click the Edit Script Bodybutton to display the Edit Policy Script dialog box.

30 Version 2.0

a. In the text window, type the policy script for the selectedattribute(s).

b. Click the Set & Close button to save the script and close thedialog box.

7. Type a shell or Perl expression in the Value text box.


3.S

etting

Up

Pro

fileP

olicies

8. To save all attribute values that you have defined, click the Setbutton. To ignore all values and reset them to the original values,click the Reset button.

Note: Once a value has been Set, it cannot be Reset using theReset button. You will have to manually enter a new valueto reset it.

9. Click the Close button to close the Edit Validation Policieswindow.

Once the policy is created, you must distribute the profile to thesubscribers for the policy to take affect in each subscriber’s localcopy of the profile. See “Distributing Profiles” on page 41 for moreinformation. The validation policy only affects the profile records; itdoes not affect the Oracle database’s system catalogs.

Defining the Attribute Validations Using the CommandLine

Use the wlspolm, wgetpolm, and wputpolm commands to examineand set validation policy from the command line. Refer to the TivoliManagement Framework Reference Manual for more information.

Validating ProfilesOnce the validation policy has been defined, you should validateyour profiles. Profile validation verifies that a profile entry complieswith set policy and prevents an invalid entry from being created.

Once a policy has been set for a profile, validation will occurautomatically every time a new record is created, a profile ispopulated, or validation is requested. You may find it useful torequest a validation when you have modified an existing profile.

The context and authorization role required for validating a profile isadmin, senior, and super. You can perform this task from either theTivoli desktop or the command line.

32 Version 2.0

Validating a Profile Using the DesktopValidation requests are defined in a Database (User, Role, orResource) Profile window.

To validate a profile, complete the following steps:

1. From a Database Resource Profile window, select Profile →Validate to request the validation.

2. When the validation is complete, the Results of PolicyValidation dialog box will display any errors that wereencountered during validation. If there are no errors, a messagewill indicate that the profile passed validation. To close thedialog box, click the Close button.

If you encountered errors during validation, the record name andresulting errors will be displayed. You should repair these errorsimmediately.

Validating a Profile Using the Command LineUse the wvalidate command to validate a profile against itsvalidation policy from the command line. Refer to the TivoliManagement Framework Reference Manual for more information.


3.S

etting

Up

Pro

fileP

olicies

34 Version 2.0

Managing Profiles

This chapter describes how to manage the user, role, and resourceprofiles in your profile managers. The profile managers enable youto relabel, populate, distribute, and delete profiles. The informationin this chapter describes how to use and manage profiles, but it doesnot describe how to work with the individual profile records (for thatinformation, refer to the chapters following this one).

This chapter describes how to complete the following tasks:

¶ Relabel a profile

¶ Populate a profile with records from an Oracle database

¶ Distribute a profile to subscribers

¶ Delete a profile

Relabeling ProfilesThe label of your profiles can be changed at any time to facilitatechanges in your organization’s facilities, processes, or hierarchy. Thenew label can contain any alphanumeric character; however, it isrecommended that you do not use spaces.

Perform the following steps to relabel a profile:

1. Double-click the Oracle User Profile icon, the Oracle RoleProfile, or the Oracle Resource Profile icon to display theProfile window.

4


4.M

anag

ing

Pro

files

2. In the Configuration Profile text box, type a new label.

3. Click the Set Label button to replace the label name.

4. Select Profile → Close to close the profile window.

Populating ProfilesIn the Tivoli environment, you can populate a profile with therecords stored in your Oracle databases. The populate commandreads the data from a specified database and copies it to your Oracleuser, role, or resource profiles.

The context and authorization role required for populating profiles isoracle_dba. You can perform this task from either the Tivoli desktopor the command line.

Populating a User, Role, or Resource Profile Using theDesktop

The following steps describe how to populate a user, role, orresource profile with the records from Oracle databases.

1. To display the profile window, double-click the Oracle UserProfile icon, the Oracle Role Profile icon, or the OracleResource Profile icon.

36 Version 2.0

Note: You can also right-click the selected icon and choose EditProperties to display a profile window.

2. Select Profile → Populate to display the Populate Oracle Profiledialog box.

3. From the Do not get records from these databases list, selectthe Oracle databases that contain the records that you will use topopulate the profile.


4.M

anag

ing

Pro

files

4. Click the left arrow button to move the databases into the Getrecords from these databases list.

5. Select the Append to existing record list option to keep existingrecords, or select the Overwrite existing record list to replacethe existing records.

Attention: If you select to overwrite, all pre-existing records inthis profile will be deleted.

6. Click the Populate button to add the records. You can selectother Oracle databases from which to populate records.

—OR—

Click the Populate & Close button to add the new records andclose the dialog box.

If validation policy is enabled, Tivoli validates all records fromeach Oracle database you selected. If a record fails validationpolicy, an error dialog box displays the names of those records.

7. Click the Dismiss button to close the message window.

If more than one record exists with the same information frommultiple databases from which you are populating, only the firstinstance of that record will be added to the profile. In other words,Tivoli will not add duplicate records to your profile

Protecting Predefined ProfilesFor each type of profile that you create, Tivoli provides basicvalidation policies to protect the commonly used predefined profilerecords. These Tivoli-provided validation policies are as follows:

¶ Validation Policy for User Profiles — prevents the predefineduser names SYS and SYSTEM from being populated duringprofile population

¶ Validation Policy for Role Profiles — prevents the followingpredefined roles from being populated during profile population:

v CONNECT

v DBA

v EXP_FULL_DATABASE

38 Version 2.0

v IMP_FULL_DATABASE

v RESOURCE

¶ Validation Policy for Resource Profiles — prevents thepredefined profile DEFAULT from being populated duringprofile population

Populating a User, Role, or Resource Profile Using theCommand Line

Use the wopopusers command to populate user profiles. See“wopopusers” on page 178.

Use the wopoproles command to populate role profiles. See“wopoproles” on page 177.

Use the wopopresources command to populate resource profiles.See “wopopresources” on page 176.

Listing User, Role, or Resource InformationUse the wolsusers command to list the users in an Oracle userprofile, or the wogetuser command to list specific information abouta user in an Oracle User profile.

Use the wolsroles command to list the roles in an Oracle roleprofile, or the wogetrole command to list specific information abouta role in an Oracle Role profile.

Use the wolsresources command to list the resources in an Oracleresource profile, or the wogetresource command to list specificinformation about a resource in an Oracle resource profile.

Locking and Unlocking RecordsLocking a profile record causes it to be read-only when it isdistributed to subscribers. See “Distributing Profiles” on page 41 forinformation on distributing.


4.M

anag

ing

Pro

files

You can lock and unlock individual records in an Oracle profile.Before distributing profiles, lock those records that you do not wantmodified by subscribers. The context and authorization role requiredfor locking and unlocking records is senior.

The following steps describe how to lock or unlock records:


Note: You can also right-click the appropriate profile icon, andchoose Edit Properties to open the profile window.

2. Select the record that you want to lock, and select Edit → Lock.A symbol will display next to the record to indicate that it is

40 Version 2.0

locked to prevent users from modifying it.

—OR—

Select the record(s) that you want to unlock, and select Edit →Unlock.

Once you have determined the records that you want to lock orunlock, you can distribute the profiles.

Distributing ProfilesIn the Tivoli Manager for Oracle User Management environment,you can distribute profiles from a profile manager or from a databaseendpoint.

When you distribute a profile from a profile manager, theinformation for the profiles will be sent to the subscribers (that youpreselect) of the profile manager.

When you distribute a profile from a database endpoint, theinformation for the profiles will be sent to all subscribers of thatendpoint and the Oracle database system catalogs.


4.M

anag

ing

Pro

files

The context and authorization role required for distributing a profileis admin and for updating the Oracle database system catalogs isoracle_dba.

Distributing a Specific Profile Using the DesktopThe following steps describe how to distribute a specific user, role,or resource profile. (See “Distributing All Profiles Using theDesktop” on page 43 for information on how to distribute allprofiles.)


Note: You can also right-click the appropriate profile icon, andchoose Edit Properties to open the selected profilewindow.

2. From the profile window, select Profile → Distribute to open theDistribute Profile dialog box.

3. To distribute to the next level of subscribers, select Next level ofsubscribers from the Distribute To group box.

—OR—

42 Version 2.0

To distribute to all subscribers in the hierarchy and update thesystem catalogs (Oracle data dictionary) at the endpoints, selectAll levels of subscribers from the Distribute To group box.

4. To select to preserve the modifications, select Preservemodifications in subscribers’ copies of the profile from theDistribution Will group box. The differences will be kept.

—OR—

To select to overwrite the modifications, select Make eachsubscriber’s profile an EXACT COPY of this profile in theDistribution Will area. The modifications will be overwritten.

5. To select subscribers that will not receive the profile, select thesubscribers from the Distribute to These Subscribers list, andclick the right arrow button. The subscribers will be added to theDo Not Distribute to These Subscribers list. The left arrowbutton will return the subscriber to the Distribute to TheseSubscribers list.

6. Click the Distribute button to distribute the profile. You canselect another profile to distribute.

—OR—

Click the Distribute & Close button to distribute the profile andclose the dialog box.

—OR—

You can choose to add the distribution to the scheduled job for aspecific time. See “Scheduling a Distribution” on page 47 formore information.

Distributing All Profiles Using the DesktopThe following steps describe how to distribute all profiles in aprofile manager to all subscribers. This method uses the distributiondefaults for the profile.

1. From a policy region, right-click the profile manager icon, andchoose Distribute. This will display the Distribute Profiles


4.M

anag

ing

Pro

files

dialog box.

2. Click the Distribute Now button to distribute all profiles in theprofile manager.

—OR—

Click the Schedule button to display the Add Scheduled Jobsdialog box. See “Scheduling a Distribution” on page 47 for moreinformation. Once the schedule is set, the distribution will occurat the allocated time.

Distributing Profiles Using Shortcuts from theDesktop

Use the following shortcuts to distribute one or more profiles to oneor more subscribers from the Tivoli desktop. These methods use thedistribution defaults for the profile. For more information, refer tothe Tivoli Management Framework User’s Guide.

Using Drag and DropFrom the profile manager window, drag a selected profile icon anddrop it on the appropriate subscriber. The distribution will beginimmediately.

Using Icon Selection1. From the Profile Manager window, select the profile and

subscriber icons (press the Ctrl key while selecting to selectmultiple subscribers).

44 Version 2.0

2. Select Profile Manager → Distribute. The Distribute Profilesdialog box will display.

3. Click the Distribute Now button to distribute all profiles in theprofile manager.

—OR—

Click the Schedule button to display the Add Scheduled Jobsdialog box. See “Scheduling a Distribution” on page 47 for moreinformation. Once the schedule is set, distribution will occur atthe allocated time.

Distributing Profiles Using the Command LineUse the wdistrib command to distribute profiles from a profilemanager. Refer to the Tivoli Management Framework ReferenceManual for more information.

Getting a New Copy of a Profile Using the DesktopIn addition to distributing profiles to subscribers, the subscribingprofile manager can update its profile records by getting a new copyfrom the distributing profile. Use the following steps to get a newcopy of a profile using the Desktop.

1. Open the subscribing profile manager.

2. Click on one or more of the subscriber’s profiles that you wantto update by getting a new copy.

3. Select Profile Manager → Get New Copy.

4. Choose Get Now to get the new copies of the selected profiles.

—OR—

Click the Schedule button to display Add Scheduled Job dialogbox. See “Scheduling a Distribution” on page 47 for moreinformation.


4.M

anag

ing

Pro

files

Setting Distribution DefaultsYou can set distribution default values for a profile. When you setdefault values for a distribution, initial values for various distributionsettings will be used automatically. This will help you have bettercontrol over your distributions and ensure consistency.

The following steps describe how to set the distribution defaults.

1. From a profile manager window, double-click the appropriateprofile to display the database profile window.

2. To set the distribution defaults, select Profile → DistributeDefaults. The Set Distribution Defaults dialog box will display.

46 Version 2.0

3. Select the default values for the Distribute To and DistributionWill properties, and click the Set button to save the values.

—OR—

Click the Set & Close button to save the values and close thedialog box.

When the next distribution occurs for this profile, these initial valueswill be set.

Scheduling a DistributionYou can choose to schedule when a profile will be distributed. Thistopic assumes that the profile is ready to be distributed. See“Distributing Profiles” on page 41 for information on how todistribute a profile.

The following steps describe how to schedule a distribution.


4.M

anag

ing

Pro

files

1. Click the Schedule button. This will open the Add ScheduledJob dialog box.

2. In the Schedule Job For group box, type the Month, Day, andYear when you want distribute the profile, and select the Hourand Minute. You will also need to select either the AM or PMoption.

3. To repeat the distribution indefinitely and at specified intervals,select the Repeat the job indefinitely option from the Repeatthe Job group box. Type a number in the The job should start

48 Version 2.0

every text box, and click the list to select the appropriateinterval (minutes, hours, weeks, months, days, or years).

—OR—

To repeat the distribution a specific number of times, select theRepeat the job option and type the number of times to repeatit.

4. Determine the type of notification you want to receive when thedistribution completes. In the When Job Completes group box,select the Post Tivoli Notice option to select a specified noticegroup.

—OR—

Select the Post Status dialog box on Desktop option to send itto the Administrator’s desktop.

—OR—

Select the Send email to option and type an e-mail address.

—OR—

Select the Log to file option to save the data to a managednode’s log file.

5. In the Job Label text box, type a name for the job or leave itblank to have it default to the Job Name.

6. You can either set the retry, cancel, and restrictions options asdescribed in “Setting the Retry, Cancel, and Restrictions Options”on page 49, or click the Schedule Job & Close option to startthe distribution when specified. If the scheduler cannot run thejob at the scheduled time, the job will not run. However, it willrun during the next scheduled time.

For more information, refer to the Tivoli ManagementFramework User’s Guide.

Setting the Retry, Cancel, and Restrictions OptionsYou can set the options that determine how the scheduler will retry,cancel, or restrict a distribution job.

1. From the Add Scheduled Job dialog box (see “Scheduling aDistribution” on page 47 for more information), click the SetRetry/Cancel/Restrictions button to display the Set


4.M

anag

ing

Pro

files

Retry/Cancel/Restrictions dialog box.

2. To set a cancellation option, select the Cancel job if it does notstart within option, and type a time interval in the text box.

3. To set a retry option, select either the Retry the job untilsuccess, Retry the job, or The job should retry every option.Type the appropriate retry successions.

4. You can set restrictions on specific times that the distributionshould not run. To set a restriction, select either the During theday, At night, During the week, or On weekends option. Typethe appropriate days or times that are restricted.

5. Click the Set button to accept the options. Click the Schedule &Close button to accept the distribution schedule and options. TheAdd Scheduled Job dialog box will close automatically.

50 Version 2.0

Deleting ProfilesWhen you delete a profile, it is removed from the profile managerand all subscriber’s copies; however, its objects will not be removedfrom the Oracle database system catalogs.

The context and authorization role required for deleting Oracleprofiles is senior. You can perform this task from either the Tivolidesktop or the command line.

Deleting a Profile Using the DesktopThe following steps describe how to delete a profile. You need toopen the profile manager that contains the profiles you want todelete.

1. If the profile manager window is not open, double-click thepolicy region then double-click the profile manager.

2. To delete profiles from the profile manager, select the profileicons (to select multiple profiles, press and hold the Ctrl keywhile selecting) that you want to delete, and select Edit →Profiles → Delete. This displays the Delete Profiles dialog box.

3. To permanently remove the profiles, click the Delete button.When the deletion is complete, the profile icon will be removedfrom the profile manager.

Deleting a Profile Using the Command LineUse the wdel command to delete profiles from a profile manager.Refer to the Tivoli Management Framework Reference Manual formore information.


4.M

anag

ing

Pro

files

52 Version 2.0

Managing Users

This chapter describes how to use an Oracle User profile (managedresource name: OracleUserManagerProfile) to manage your Oracledatabase users. It contains the following topics:

¶ Adding a user record

¶ Editing a user record

¶ Editing multiple user records

¶ Copying a user record

¶ Moving a user record

¶ Deleting a user record

¶ Setting the tablespace list

Adding User RecordsThere are two ways to create records in an Oracle User profile: bypopulating the profile with existing users and by adding new users.The populate operation is described in “Managing Profiles” onpage 35.

When adding a new user, you must define the password, resourceprofile, roles, system privileges, quotas, and object privileges for thatuser.

5


5.M

anag

ing

Users

The context and authorization role required for adding a new user isadmin. You can perform this task from either the Tivoli desktop orthe command line.

Adding a User Record Using the DesktopThe following steps describe how to add a user to an Oracle Userprofile.

1. From the Policy Region window, double-click the ProfileManager icon to display the Profile Manager window

—OR—

Right-click the Profile Manager icon, and choose Open todisplay the Profile Manager window.

54 Version 2.0

2. To display the Oracle Database User Profile window,double-click the Oracle User profile icon where you want toadd users.

—OR—

Right-click the Oracle User profile icon, and choose EditProperties.

3. To add new users to the profile, click the Add button. The AddDatabase User dialog box is displayed.

—OR—


5.M

anag

ing

Users

Click Edit → Add to display the Add Database User dialog box.

The values defined by the default policies (See “Defining theDefault Policy” on page 17) to determine how Tivoli displays theAdd Database User dialog box. Entry fields with default valuesare disabled.

4. In the Name text box, type the name of the new user. Thisshould be the name that the user enters to log in to the Oracledatabase.

5. In the Password text box, type a password that the user uses tolog in to the Oracle database. The characters you type aremasked by asterisks for security purposes.

—OR—

To allow Oracle to verify the user’s access through the operatingsystem, select the OS Authentication check box. Tivoli createsan OPS$ account (the actual prefix depends on the value of theINIT.ORA parameter OS_AUTHENT_PREFIX), which verifies if

56 Version 2.0

the user accessed the operating system and then grants access tothe user profile instead of prompting for a password.

6. To allow the user to set the password in the profile, select theUser Controls Password check box. If you use this option, theuser’s profile password can differ from the Oracle databasepassword.

—OR—

To allow Tivoli to reset the password for the user, deselect theUser Controls Password check box. This ensures consistencybetween the password in the profile and the password in theOracle database.

7. The Resource Profile enables you to select the hardware profileto which this user has access. To select the profile, click theResource Profile text box and select the resource.

8. You can define other parameters for the user, such as tablespaces,default values, roles, system privileges, and so on. To continuedefining these parameters follow the steps in “Setting Other UserParameters”.

—OR—

Click the Add & Close button to add the new user to the profileand close the Add Database User dialog box.

Changes made in the profile are independent of the database. Toupdate the database with the changes, you must distribute the profileto the database endpoint.

Adding a User Record Using the Command LineUse the wocrtuser command to add Oracle users to a profile fromthe command line. For a description, syntax, example, and othercommand information, see “wocrtuser” on page 152.

Setting Other User ParametersYou can set other parameters in the Add Database User dialog box.The following topics describe how to set the tablespaces, roles,system privileges, tablespace quotas, and object privileges.


5.M

anag

ing

Users

Setting the Default and Temporary TablespaceDefine the tablespace where the user’s default and temporary objectsare stored. Tivoli recommends that you do not use the SYSTEMtablespace for user objects.

1. From the Add Database User dialog box, click the DefaultTablespace list and select the appropriate tablespace.

If the tablespace is not in the list, you must set up a tablespaceas described in “Setting the Tablespace List” on page 85.

2. To define the temporary tablespace, click the TemporaryTablespace list and select the appropriate tablespace.

If the tablespace is not in the list, you must set up a tablespaceas described in “Setting the Tablespace List” on page 85.

Setting and Clearing Default ValuesYou can set or clear the default policy assigned to the Database UserProfile. When you set a default value for a new user record, theattributes that have a predefined default are automatically be set toreflect that default value. When you clear the default values, theattributes that have defaults assigned are cleared. You can then enternew values for the user.

To set or clear the default values, complete the following steps fromthe Add Database User dialog box:

58 Version 2.0

¶ Click the Set Defaults button. The default policy is added toeach applicable field on the screen.

¶ Click the Clear Defaults button to clear any default values andenable new values to be entered.

Note: Use the Reset button to return the screen to the valuesthat were present when the screen was originallydisplayed; however, if you click the Add button beforethe Reset button, any new values that you entered aresaved to the profile and cannot be reset.

Granting Roles to UsersTivoli allows you to grant roles to each user record. Roles determinethe group of related Oracle privileges that are granted to users. Referto “Managing Roles” on page 87 for more information.

To grant roles to users, complete the following steps:


5.M

anag

ing

Users

1. From the Add Database User dialog box, click theCollapse/Expand button to display the Roles option.

2. To grant roles to the user, click the Add Role button to displaythe Add Role dialog box.

Note: To revoke or change a role, select the role, and click theRemove Role button.

3. The Add Role dialog box contains a list of standard Oracle rolesand any roles that were defined in the Oracle Role profiles in thecurrent profile manager. From the Database Roles list, select therole to be granted. Refer to your Oracle User’s Guide for a

60 Version 2.0

comprehensive list of the available roles.

4. To allow the user to grant the role to other users, select theGrant Role to Others check box.

5. If you want the selected role to be a default role, select theDefault Role check box

6. Click the Add button to grant the role. You can add other rolesfor the user.

—OR—

Click the Add & Close button to grant the role and close thedialog box.

Note: To cancel the operation, click the Cancel button.

Granting System Privileges to UsersTivoli enables you to grant Oracle system privileges to users. Systemprivileges determine the specific Oracle database operation or classof operations that the user can perform.

To grant system privileges to users, complete the following steps:

1. From the Add Database User dialog box, click theCollapse/Expand button to display the System Privileges groupbox.


5.M

anag

ing

Users

2. If you want to grant Oracle system privileges to the user, clickthe Add Privilege button to display the Add System Privilegedialog box.

Note: To revoke or change a system privilege, select theprivilege, and click the Remove Privilege button.

62 Version 2.0

3. From the System Privileges list, select the system privilege tobe granted.

4. To allow the user to grant the system privilege to other users,select the Grant Privilege To Others check box.

5. Click the Add button to grant the privilege. You can grant otherprivileges for the user.

—OR—

Click the Add & Close button to grant the privilege and closethe dialog box.

Note: You can click the Cancel button to cancel the operation.

Changes made in the profile are independent of the database. Toupdate the database with the changes, you must distribute theprofile to the database endpoint.

Setting Tablespace QuotasTivoli allows you to add quotas to tablespaces. Quotas determine theamount of disk space allocated for each tablespace. For example, ifyou want to limit the amount of Temporary tablespace that can beused for the user, set the tablespace quota.

To set the tablespace quota, complete the following steps:


5.M

anag

ing

Users

1. From the Add Database User dialog box, click theCollapse/Expand button to display the Quotas group box.

2. Click the Add Quota button to display the Add TablespaceQuota dialog box.

64 Version 2.0

Note: To revoke or change a tablespace quota, select the quotaand click the Remove Quota button.

3. From the Tablespace list, select the tablespace where you willdefine a quota.

4. Select the Limit Tablesize check box to enter the quota valueand unit of measure.

5. In the Size text box, type a numeric value. If you do not enter avalue, the quota is not set.

6. From the Unit list, select a unit of measure (Bytes, Kb, Mb, orGb) for the value.

7. Click the Add button to add the quota for the tablespace. Youcan define other quotas.

—OR—

Click the Add & Close button to add the quota and close thedialog box.

Note: You can click the Close button to cancel the operationwithout saving the quota.


5.M

anag

ing

Users

Setting Object PrivilegesTivoli enables you to grant object privileges to users. When a user isgranted a privilege for an object, they are given permission toexecute a command or function on a specific object. The functionsavailable to them are ALTER, DELETE, EXECUTE, INDEX,INSERT, REFERENCES, SELECT, and UPDATE. The object isspecified by defining the schema and object name. In some instancesusers can update specific columns of an object.

Setting up object privileges for a user is a two step process. The firststep requires you to access a Grantor’s user profile to complete thesecond step of defining the Grantee and the object privilege. Tivoliconnects to Oracle as the Grantor to grant the privilege to theGrantee.

The Grantor must own the object being granted or have objectprivileges with the GRANT OPTION on the object. In other words,if you are the Grantor, you cannot grant object privileges to a user ifyou do not own the object yourself or you don’t have the ability togrant the object.

Note: Tivoli connects as the grantor to issue the GRANT command;therefore, the grantor’s password must be set to either OSAuthentication or Password with the User Controls Passwordoption deselected. For detailed information about defining apassword, see step 5 on page 56.

The context and authorization role required for granting or revokingobject privileges is admin. You can perform this task from either theTivoli desktop or the command line.

Accessing the Grantor’s User ProfileUse the following steps to access the Grantor’s user profile:

1. From the Database User Profile window, select the user whogrants the privileges to another user.

2. Click the Edit button to display the Edit Database Userwindow.

—OR—

66 Version 2.0

Select the Edit → Edit option to display the Edit Database Userwindow.

3. From the Edit Database User dialog box, click the ObjectPrivileges button to display the Object Privileges dialog box. Alist of the current privileges owned by the user is displayed.

Now you must add a new privilege that defines the Grantee or userto receive the privilege. The next section describes how to grant theprivilege to a user.


5.M

anag

ing

Users

Granting an Object Privilege to a UserTo grant an object privilege to a user, the Grantor must define thegrantee to receive the privilege and then define the object.

1. From the Object Privileges dialog box, click the Add Privilegebutton to display the Add Object Privilege dialog box.

2. Type the name of the user receiving the privilege in the Granteetext box.

3. Select the object privilege to be granted from the ObjectPrivileges list. To grant all privileges, select the All Privilegesoption

Note: The Update and References privileges allow you to selecta specific column on which to grant the privilege. Formore information, refer to “Granting Object Privileges onSpecific Columns” on page 69.

4. If you do not want the user to be able to grant the privilege toother users, deselect the Privilege Grantable option.

5. In the Schema Name text box, type the schema name for thedatabase object to be granted.

6. In the Object Name text box, type the name of the object to begranted.

68 Version 2.0

7. Click the Add & Close to grant the privilege and close thedialog box and return to the Object Privileges dialog box.

—OR—

Click the Add button to add the privilege and continue addingothers. To return to the Object Privileges dialog box, click theClose button.

The object privilege has been added to the User’s profile. NowTivoli connects as the Grantor to grant the database object to theGrantee.

8. You can continue adding privileges or click the Close button toreturn to the Edit Database User window.

—OR—

Click the Change & Close button to accept the privilege updatesand close the window.

Granting Object Privileges on Specific ColumnsFor certain types of privileges, you can specify which data columnsreceive the granted privilege. For example, you can grant a user theability to update an employee salary object, but you can limit thatupdate to only those columns that pertain to the employee’s addressand job title.


5.M

anag

ing

Users

Only the UPDATE and REFERENCES privileges allow you to selectspecific column(s) to receive the privilege. When you select eitherthe Update or Reference privilege, the Columns scrolling list,Column Name text box, and Remove Column button is enabledautomatically.

These instructions assume that the Add Object Privilege dialog boxis displayed. To grant object privileges on specific columns,complete the following steps:

1. From the Add Object Privilege dialog box, type the name of acolumn in the Column Name text box.

2. Press the Return or Enter key on your keyboard to add thecolumn name to the Columns scrolling list.

Note: If no columns are selected, the privilege is granted on allcolumns.

3. To remove a column from the list, select it and click the RemoveColumn button.

Revoking and Changing Object PrivilegesTo revoke a Grantee’s privileges on an object, you must open theGrantor’s user profile to edit the Grantee’s privilege. To change aGrantee’s privilege, you must first revoke it then add a new one.

To revoke and change an object privilege, complete the followingsteps:

1. To revoke an object privilege, open the Object Privileges dialogbox.

2. Select the object privilege, and click the Remove Privilegebutton.

70 Version 2.0

3. Click the Close button to accept the revocation.

4. Click the Change & Close button to save the privileges to theuser profile and close the window.

Note: Changes made in the profile are independent of thedatabase. To update the database with the changes, youmust distribute the profile to the database endpoint

Viewing Granted Object PrivilegesYou can view the object privileges that have been granted to a user.Tivoli allows you to quickly review the privileges from theDatabase User Profile window.

The context and authorization role required for viewing a user’sobject privileges is admin. You can perform this task from either theTivoli desktop or the command line.

To view a user’s object privileges from an Oracle User profile,complete the following steps:

1. From the Database User Profile window, select the user record.


5.M

anag

ing

Users

2. To view the privileges, select View → Granted Privileges todisplay the Object Privileges dialog box.

3. The Object Privileges dialog box displays the schema, columns,and grantable option properties for the user. To close the dialogbox, click the Close button.

Editing User RecordsYou can modify single or multiple user records in a profile. Thissection describes how to edit a single user record in a profile.

The context and authorization role required for editing an Oracleuser is admin. You can perform this task from either the Tivolidesktop or the command line.

Editing a User Record Using the DesktopThese steps assume that the Database User Profile window isdisplayed (if it is not, double-click the user profile icon from theProfile Manager window).

To edit a user record, complete the following steps:

1. From the Database User Profile window, select the user recordthat you want to modify, and click the Edit button.

—OR—

72 Version 2.0

Select the user record, and select Edit → Edit to display the EditDatabase User dialog box.

2. If you want to change any of the parameters for the user, type orselect new values in the appropriate fields. See “Adding UserRecords” on page 53 for details on the various fields of thisscreen.

3. After your modifications are complete, click the Change button.You can complete other modifications.

—OR—

Click the Change & Close button to accept the new parametersand close the Edit Database User dialog box.

Changes made in the profile are independent of the database. Toupdate the database with the changes, you must distribute the profileto the target database.

Editing a User Record Using the Command LineUse the wosetuser command to edit a user record in a profile fromthe command line. For a description, syntax, example, and othercommand information, see “wosetuser” on page 187.


5.M

anag

ing

Users

Editing Multiple User RecordsThis section describes how to edit multiple user records in a profile.Once you edit the records, you must distribute the profile to updatethe database.

The context and authorization role required for editing Oracle usersis admin. You can perform this task from either the Tivoli desktopor the command line.

Editing Multiple User Records Using the DesktopThe following steps describe how to search, sort, and then editmultiple user records using the desktop. To simplify user recordmaintenance, Tivoli provides user search and sort functionality forspecific attributes. You can search the user records by setting thecriteria for a specific attribute. Tivoli displays and selects all recordsthat meet that criteria then enable you to edit all of the selectedrecords simultaneously. You can also sort the records by users orattributes, so that you can select the records you want to edit.

Searching the User DatabaseThese steps assume that the Database User Profile window isdisplayed (if it is not, double-click the user profile icon from theProfile Manager window).

To search the user database, complete the following steps:

74 Version 2.0

1. Select View → Find from the Database User Profile window.Tivoli displays the Find Records dialog box.

2. From the Attributes list, select the attribute that you want tomodify

3. To set the type of search that Tivoli performs, click thecomparison operator list, and select one of the following: ExactMatch for those records that equal a certain value; Contains forthose records that contain a certain value; Greater than for thoserecords whose value is greater than a certain value; or Less thanfor those records whose value is less than a certain value.

4. Type the value for the search criteria in the text box next to thecomparison operator list. This box is case sensitive, so you musttype the criteria as it is displayed in the database.


5.M

anag

ing

Users

5. Click the Find All button to find all records that match thecriteria.

—OR—

Click the Find First button to find the first occurrence of arecord that matches the criteria.

—OR—

Click the Find Next button to find the next occurrence of arecord that matches the criteria.

6. When the search is complete, you can refer to the DatabaseUser Profile window to verify the appropriate records werefound. You can continue to search or click the Close button toclose the Find Records dialog box.

7. Notice that the records found in the Database User Profilewindow are automatically selected. If you want to display onlythose records, click the Show Selected button.

76 Version 2.0

8. To select the filtered records, click the Select All button. You canedit all of the records as described in “Editing the SelectedRecords” on page 79.

Sorting by UserWhen you sort the records in the user database, you can sort by usernames or by user attributes. This enables you to review the list ofpossible records before selecting them to edit.

To sort the database records by name, complete the following steps

1. Select View → Sort → Users from the Database User Profilewindow.

2. The Sort Records dialog box displays with the Username recordlabel field selected as shown in the Sort Records example. Toselect the order in which the records are sorted, select either theAscending Sort or Descending Sort option.

3. To begin the sort, click the Sort & Close button. The newlysorted records are displayed in the Database User Profilewindow. You can select the records and edit them as described in“Editing the Selected Records” on page 79.


5.M

anag

ing

Users

Sorting by AttributeYou can also sort the database records by a specific attribute. Afteryou have sorted the records, you can review them to select therecords you modify.

To sort records by attribute, complete the following steps:

1. Select View → Sort → Attributes from the Database UserProfile window.

2. The Display Attributes dialog box displays so that you canselect the attributes by which to sort. All attributes in theAttributes Displayed list are sorted. The attributes in AttributesNot Displayed list is not sorted. Move the attributes to theappropriate list by clicking the left or right arrow buttons.

3. To begin the sort, click the Sort button. The newly sortedrecords are displayed in the Database User Profile window. Youcan perform another sort as needed.

—OR—

Click the Sort & Close button to sort the records and close thedialog box. The newly sorted records are displayed in theDatabase User Profile window. Notice that only the selectedattributes are displayed. You can select the records to be editedas described in “Editing the Selected Records” on page 79.

78 Version 2.0

Editing the Selected RecordsOnce you have selected the records to be modified, you can edit theattributes to affects all selected records.

To edit the selected records, complete the following steps:

1. Click the Edit button in the Database User Profile window. TheSelect Attributes to Edit dialog box displays enabling you toselect multiple attributes.

—OR—

To edit a single attribute for the selected records, click thespecific attribute button.

Note: The specific attribute buttons are also the column headersfor the database records in the Database User Profilewindow.

Tivoli displays the Edit Multiple Database Users dialog box.Only those attributes that you selected are enabled formodification.

2. Modify the attribute as needed, and click the Change button. If itis needed, you can edit the attribute again

—OR—

3. Click the Change & Close button to save the changes to theprofile and close the Edit Multiple Database User dialog box.Tivoli displays the modified records in the Database UserProfile window.


5.M

anag

ing

Users

Note: You can click the Cancel button to cancel any unsavedchanges and close the dialog box.


Editing Multiple User Records Using the CommandLine

Use the wosetusers command to edit multiple user records in aprofile from the command line. For a description, syntax, example,and other command information, see “wosetusers” on page 190.

Copying User RecordsYou can copy user records from one profile to another profile.However, the user records cannot be located in the same profilemanager.

The context and authorization role required for copying a profilerecord is admin. You can perform this task from either the Tivolidesktop or the command line.

Copying a User Record Using the DesktopYou must select the record to be copied from the Database UserProfile window.

To copy a user record, complete the following steps:

80 Version 2.0

1. From the Database User Profile window, select the databaseuser record that you want to copy to another profile (source).

2. Select Edit → Copy to display the Copy Profile Records dialogbox.

3. From the Available Profile Managers list, select the profilemanager that contains the user profile to where (target) the userrecord is copied.


5.M

anag

ing

Users

4. From the Available Profiles list, select the profile to where theuser record is copied.

5. Click the right arrow button to add the selection to the TargetProfiles list.

6. To begin copying, click the Copy button. You can copy otherprofiles.

—OR—

Click the Copy & Close button to copy the profiles and closethe dialog box.

Copying a User Record Using the Command LineUse the wocpuser command to copy user records between profilesfrom the command line. For a description, syntax, example, andother command information, see “wocpuser” on page 144.

Moving User RecordsIn addition to copying user records, you can also move records fromone user profile to another.

The context and authorization role required for moving a profilerecords is admin. You can perform this task from either the Tivolidesktop or the command line.

Moving a User Record Using the DesktopYou must select the record to be moved from the Database UserProfile window. These steps assume that this window is alreadydisplayed.

To move a user record, complete the following steps:

82 Version 2.0

1. Select the record you want to move.

2. To display the Move Records dialog box, select Edit → Move.

3. From the Available Profile Managers list, select the profilemanager that contains the profile where the record is moved. Allavailable profiles for that profile manager, are displayed in theAvailable Profiles list

4. From the Available Profiles list, select the profile where therecord is moved.


5.M

anag

ing

Users

5. To move the user record, click the Move button. You can selectother records to move.

—OR—

Click the Move & Close button to move the record and close thedialog box.

Moving a User Record Using the Command LineUse the womvuser command to move user records from one profileto another from the command line. For a description, syntax,example, and other command information, see “womvuser” onpage 174.

Deleting User RecordsWhen you delete a user record, you must remove the record fromthe profile and then distribute the profile to the Oracle database.After it is distributed, it is removed from the Oracle database. Whenyou choose to delete a record, you can select to delete the user’sowned objects as well.

The context and authorization role required for deleting an Oracleuser is admin. You can perform this task from either the Tivolidesktop or the command line.

Deleting a User Record Using the DesktopYou must select the record to be removed from the Database UserProfile window. These steps assume that this window is alreadydisplayed.

To delete a user record, complete the following steps:

1. Select the user that you want to remove from the profile, andclick the Delete button. Tivoli displays the Delete DatabaseUser(s) dialog box.

—OR—

84 Version 2.0

Select Edit → Delete to display the Delete Database User(s)dialog box.

2. To delete the user record without deleting the user’s ownedobjects, click the Delete Without Cascade button.

—OR—

To delete the user record and their owned objects, click theDelete With Cascade button.

If you delete with cascade, the user and all its associated objectsare deleted. If you delete without cascade, only the user isdeleted. There are some objects (typically those objectsexclusively owned by the user) that must be deleted before Tivolienables the record to be deleted.

Note: You can click the Cancel button to cancel the deletion.


Deleting a User Record Using the Command LineUse the wodeluser command to drop users from a profile using thecommand line. For a description, syntax, example, and othercommand information, see “wodeluser” on page 159.

Setting the Tablespace ListTivoli Manager for Oracle User Management maintains a list oftablespaces for each Oracle User profile. This is the list that isdisplayed when you select the Default and Temporary tablespacelists in the Add Database User dialog box or Edit Database Userdialog box. Use the Set Tablespaces dialog box to maintain this list.


5.M

anag

ing

Users

Each Tivoli Manager for Oracle User Management profile maintainsa separate list. The list is internal to Tivoli Manager for Oracle UserManagement, and is not updated in any Oracle data dictionary tables.

The context and authorization role required for setting the tablespacelist is senior. You can perform this task from either the Tivolidesktop or the command line.

To add a tablespace, complete the following steps:

1. From the Database User Profile window, select Edit →Tablespaces to display the Set Tablespaces dialog box.

2. To add a new tablespace, type the name of the new tablespace inthe Add Tablespace text box.

3. Press the Return or Enter key. Tivoli adds the new tablespace tothe Current Tablespaces list.

Note: To remove a tablespace from the list, select the tablespace,and click the Remove Tablespace button.

4. Click the Set button to save (or remove) the tablespace, andcontinue making changes.

—OR—

Click the Set & Close button to save (or remove) the tablespaceand close the dialog box.

86 Version 2.0

Managing Roles

This chapter describes how to manage your Oracle database rolesfrom Tivoli Manager for Oracle User Management. When managingroles, you can perform the following tasks:

¶ Adding role records

¶ Editing role records

¶ Copying role records

¶ Moving role records

¶ Deleting role records

¶ Searching and sorting role records

Adding Role RecordsRoles represent the privileges that determine the tasks and processesthat users can execute in Oracle databases. When you add a databaserole to the Tivoli environment, you can then associate the role tomultiple users. The roles that you add should be representative of thedatabase tasks and processes that are common to your ITenvironment.

Because role records are added to role profiles, you can set up yourrole profiles in groups of similar tasks. By grouping role records intoprofiles, you can assign the tasks and processes to user groups. Forexample, the tasks and processes that should be performed by onegroup, such as Finance and Accounting, differ from those tasks and

6


6.M

anag

ing

Ro

les

processes that another group performs, such as Sales and Marketing.Because the tasks of each group have varying degrees of securityand organizational parameters, it is important to be aware of theseissues when adding and granting roles.

The context and authorization role required for adding a role isadmin. You can perform this task from either the Tivoli desktop orthe command line.

Adding a Role Record Using the DesktopRoles are added through the Profile Manager window, which isaccessed from the Policy Region window.

To add a role record, complete the following steps:

1. Double-click the Profile Manager icon to display the ProfileManager window.

—OR—

88 Version 2.0

Right-click the profile manager icon and choose Open to displaythe Profile Manager window.

2. To display the Database Role Profile window, double-click theOracle Role Profile icon where you want to add roles.

—OR—


6.M

anag

ing

Ro

les

Right-click the Oracle Role Profile icon and choose EditProperties to display the Database Role Profile window.

3. To add new roles to the profile, click the Add button. Thisdisplays the Add Database Role dialog box.

—OR—

90 Version 2.0

Select Edit → Add to display the Add Database Role dialogbox.

The values defined by the default policies (see “Defining theDefault Policy” on page 17) determine how Tivoli displays theAdd Database Role dialog box. Entry fields with default valuesare disabled.

4. In the Name text box, type the name of the new role.

5. To set the authentication for a role, click the Authentication listand select NONE if the role does not require a password, selectOS if you want the operating system to verify the user, or selectPASSWORD if you want the user to enter a password. The


6.M

anag

ing

Ro

les

authentication enables you to set a password requirement on therole so that users are authenticated before they are allowed toenable the role.

6. If you selected PASSWORD for the authentication, type therequired password in the Password text box. The characters youtype are masked with asterisks for security purposes.

7. You can set other parameters for the role, such as other roles,system privileges, and default values. To set these parameters,follow the steps in “Setting Other Role Parameters”.

—OR—

Click the Add & Close button to add the new role to the profile,and close the Add Database Role dialog box.


Adding a Role Record Using the Command LineUse the wocrtrole command to add a role to a profile from thecommand line. For a description, syntax, example, and othercommand information, see “wocrtrole” on page 149.

Setting Other Role ParametersYou can set other parameters for the role. The following topicsdescribe how to set these parameters using the Add Database Roledialog box.

Setting and Clearing Default ValuesYou can set or clear the default policy assigned to the Database RoleProfile. When you set a default value for a new role record, theattributes that have a predefined default value are automatically setto reflect that default value. In other words, the default values areadded to the appropriate fields on the screen automatically. Thissaves time when you define the attributes for each new role record.When you clear the default values, the attributes that have defaultsassigned are cleared. You can then enter new values for the role.

92 Version 2.0

To set or clear the default values, complete the following from theAdd Database Role dialog box:

¶ To add default values to the role record, click the Set Defaultsbutton. All values defined with defaults are set automatically foreach applicable field on the screen.

¶ To clear any default values and enable new values to be entered,click the Clear Defaults button. All predefined default valuesare removed automatically.



6.M

anag

ing

Ro

les

Granting Roles to RolesTivoli enables you to grant other roles to the role record. Rolesdetermine the group of related Oracle privileges that are granted tousers. The granted roles determine the additional database tasks thatthe role can execute.

To grant roles to roles, complete the following steps:

1. Click the Collapse/Expand button to display the Roles groupbox.

2. To grant a role, click the Add Role button to display the AddRole dialog box.

94 Version 2.0

Note: To revoke or change a role, select the role and click theRemove Role button.

3. The Database Roles list contains the standard, predefined Oracleroles plus any roles defined in the Oracle role profiles for thecurrent profile manager. To grant a role, select the role from theDatabase Roles list

4. To enable the role to grant the role to other users, select theGrant Role to Others check box.

5. If you want the selected role to be a default role, select theDefault Role check box

6. Click the Add button to grant the role. You can add other roles.

—OR—

Click the Add & Close button to grant the role and close thedialog box.

Note: To cancel the operation, click the Cancel button.

Changes made in the profile are independent of the database. Toupdate the database with the changes, you must distribute theprofile to the target database.


6.M

anag

ing

Ro

les

Granting System PrivilegesThis option determines whether or not a user that is granted a rolecan perform a database operation. Tivoli enables you to grant Oraclesystem privileges on roles. System privileges determine the specificOracle database operation or class of operations that can beperformed.

To grant system privileges, complete the following steps:

1. Click the Collapse/Expand button to display the SystemPrivileges group box.

2. To grant system privileges to the role, click the Add Privilegebutton. This displays the Add System Privilege dialog box.

Note: To revoke or change a system privilege, select theprivilege and click the Remove Privilege button.

96 Version 2.0

3. Select the system privilege to be granted from the SystemPrivileges list.

4. To enable the role to grant the system privilege to other roles,select the Grant Privilege To Others check box.

5. Click the Add button to grant the privilege. You can grant otherprivileges.

—OR—

Click the Add & Close button to grant the privilege and closethe dialog box.

Note: You can click the Cancel button to cancel the operation.


Editing Role RecordsYou can edit single role records in a profile. This section describeshow to edit a single role record in a profile.

The context and authorization role required for editing a role isadmin. You can perform this task from either the Tivoli desktop orthe command line.


6.M

anag

ing

Ro

les

Editing a Role Record Using the DesktopTo edit a role record, complete the following steps:

1. From the Database Role Profile window, select the role recordthat you want to modify, and click the Edit button.

—OR—

Select the role, and select Edit → Edit to display the EditDatabase Role dialog box.

2. To change any of the parameters for the role, type or select thenew value in the appropriate fields. See “Adding Role Records”on page 87 for details on the various fields of this screen.

3. After your modifications are complete, click the Change &Close button to accept the new parameters and close the EditDatabase Role dialog box.

Changes made in the profile are independent of the database. Toupdate the database with the changes, you must distribute the profile.

Editing a Role Record Using the Command LineUse the wosetrole command to edit a role in a profile from thecommand line. For a description, syntax, example, and othercommand information, see “wosetrole” on page 183.

98 Version 2.0

Copying Role RecordsYou can copy role records to another profile; however, the rolerecords cannot be located in the same profile manager

The context and authorization role required for copying a profilerecord is admin. You can perform this task from either the Tivolidesktop or the command line.

Copying a Role Record Using the DesktopTo copy a role record, complete the following steps:

1. From the Database Role Profile window, select the database rolerecord that you want to copy to another profile (source).



6.M

anag

ing

Ro

les

3. From the Available Profile Managers list, select the profilemanager that contains the role profile to which the role record iscopied (target).

4. From the Available Profiles list, select the profile to which therole record is copied.


6. To copy the role record to the selected profile, click the Copybutton. You can copy other records as needed.

—OR—

Click the Copy & Close button to copy the record and close thedialog box.

Copying a Role Record Using the Command LineUse the wocprole command to copy role records between profilesfrom the command line. For a description, syntax, example, andother command information, see “wocprole” on page 142.

Moving Role RecordsIn addition to copying role records, you can also move records fromone role profile to another.

100 Version 2.0

The context and authorization role required for moving a profilerecords is admin. You can perform this task from either the Tivolidesktop or the command line.

Moving a Role Record Using the DesktopTo move a role record, complete the following steps:

1. From the Database Role Profile window, select the record youwant to move.



6.M

anag

ing

Ro

les

3. From the Available Profile Managers list, select the profilemanager that contains the profile where the record is moved. Allavailable profiles for that profile manager are displayed in theAvailable Profiles list.

4. From the Available Profiles list, select the profile where therecord is moved.

5. To move the role record, click the Move button. You can moveother records as needed.

—OR—

Click the Move & Close button to move the records and closethe dialog box.

Moving a Role Record Using the Command LineUse the womvrole command to move role records from one profileto another from the command line. For a description, syntax,example, and other command information, see “womvrole” onpage 172.

Deleting Role RecordsWhen you delete a role record, you must remove the record from theprofile and then distribute the profile to the Oracle database. After itis distributed, it is removed from the Oracle database.

The context and authorization role required for deleting a role isadmin. You can perform this task from either the Tivoli desktop orthe command line.

Deleting a Role Record Using the DesktopTo delete a role record, complete the following steps:

Note: Make certain that you want to delete the roles. Tivoli does notprompt for confirmation of the operation.

1. From the Database Role Profile window, select the role that youwant to remove from the profile, and click the Delete button.

—OR—

102 Version 2.0

2. Select Edit → Delete to remove the selected role record. If youattempt to delete a role which has been granted to another role,the Role Deletion window informs you that the deletion hasaffected another role.


Deleting a Role Record Using the Command LineUse the wodelrole command to drop roles from a profile using thecommand line. For a description, syntax, example, and othercommand information, see “wodelrole” on page 158.

Searching and Sorting the Role DatabaseYou can search the role database for a specific record or records.After finding the records, you can sort them by role or attribute.

To search the role database, complete the following steps from theDatabase Role Profile window.


6.M

anag

ing

Ro

les

1. Select View → Find from the Database Role Profile window.The Find Records dialog box is displayed.

2. From the Attributes list, select the attribute that you want tomodify.

3. To set the type of search that Tivoli performs, click thecomparison operator list and select one of the following: ExactMatch for records that equal a certain value; Contains forrecords that contain a certain value; Greater than for recordswhose value is greater than a certain value; or Less than forrecords whose value is less than a certain value.

4. Type the value for the search criteria in the text box next to thecomparison operator list. This box is case sensitive, so you musttype the criteria as they appear in the database.

104 Version 2.0


—OR—


—OR—


6. When the search is complete, you can refer to the DatabaseRole Profile window to verify that the appropriate records werefound. You can continue to search or click the Close button toclose the Find Records dialog box.

7. Notice that the records found in the Database Role Profilewindow are automatically selected. To display only those records,


6.M

anag

ing

Ro

les

click the Show Selected button.

8. To select the filtered records, click the Select All button.

Sorting by RoleYou can sort the records to select specific records to edit. When yousort the records in the role database, you can sort by roles or byattributes. When you sort by roles, the records can be sorted inascending or descending order.

To sort the database records by role, complete the following steps:

1. Select View → Sort → Roles from the Database Role Profilewindow.

2. The Sort Records dialog box is displayed with the Nameattribute preselected in the Record Label Field list. This list

106 Version 2.0

displays all attributes for the role and you can sort the records byName or select a different attribute as described in “Sorting byAttribute” on page 122. To select the order in which the recordsare sorted, select either the Ascending Sort or Descending Sortoption.

3. To begin the sort, click the Sort button. The sorted records aredisplayed in the Database Role Profile window. You canperform another sort if needed.

—OR—

Click the Sort & Close button to sort the records and close thedialog box. The newly sorted records are displayed in theDatabase Role Profile window.

Sorting by AttributeYou can also sort the database records by specific attributes. Whenyou sort by attributes, the roles are displayed with the selectedattributes prominently displayed.

To sort the database records by attribute, complete the followingsteps:

1. Select View → Sort → Attributes from the Database Role Profilewindow.


6.M

anag

ing

Ro

les

2. The Display Attributes dialog box is displayed so that you canselect the attributes by which to sort. All attributes that are in theAttributes Displayed list are sorted. The attributes in AttributesNot Displayed list are not sorted. Move the attributes to theappropriate list by clicking either the left or right arrow button.

3. To begin the sort, click the Sort button. The newly sortedrecords are displayed in the Database Role Profile window. Youcan perform another sort as needed.

—OR—

Click the Sort & Close button to sort the records and close thedialog box. The newly sorted records are displayed in theDatabase Role Profile window.

108 Version 2.0

Managing Resources

This chapter describes how to use Tivoli Manager for Oracle UserManagement to manage Oracle database resources. When managingresources, you can complete the following tasks:

¶ Adding resource records

¶ Editing resource records

¶ Editing multiple resource records

¶ Copying resource record

¶ Moving resource records

¶ Deleting resource records

Adding Resource RecordsResources are hardware components or processes of your computingsystem. Some examples of these are main storage, input/outputdevices, the processing unit, data sets, and control or processingprograms.

Resource records are added so that you can manage how eachresource is used. After a resource record has been added, you canassign the resource to a user or role.

The context and authorization role required for adding a resourcerecords is admin. You can perform this task from either the Tivolidesktop or the command line.

7


7.M

anag

ing

Reso

urces

Adding a Resource Record Using the DesktopResources are added through the Profile Manager window, which isaccessed from the Policy Region window.

To add a resource record, complete the following steps:

1. From the Policy Region window, double-click the profilemanager icon to display the Profile Manager window.

—OR—

Right-click the profile manager icon and choose Open to displaythe Profile Manager window.

110 Version 2.0

2. To display the Database Resource Profile window, double-clickthe Oracle Resource Profile icon where you want to addresources.

—OR—

Right-click the Oracle Resource Profile icon and choose EditProperties to display the Database Resource Profile window.

3. To add new resources to the profile click the Add button. Thisdisplays the Add Database Resource dialog box.

—OR—


7.M

anag

ing

Reso

urces

Select Edit → Add to display the Add Database Resource dialogbox.

The values defined by the default policies (see “Defining theDefault Policy” on page 17) determine how the Add DatabaseResource dialog box is displayed. Entry fields with defaultvalues are disabled.

4. In the Name text box, type the name of the new resource.

5. For each new resource that you create, you can set variousattributes that define the limits on how a resource is used. Thefollowing list defines the available attributes:

Composite LimitLimits the total resource cost for a session. See therelevant version of the Oracle Server SQL LanguageReference Manual for details of how this is calculated.

112 Version 2.0

Sessions Per UserLimits the number of concurrent sessions for a user.

CPU Per CallLimits the CPU time for a parse, execute, or fetchoperation. Expressed in hundredths of a second.

Logical Reads Per CallLimits the number of data blocks read for a parse,execute, or fetch operation. Expressed as a number ofblocks.

Idle TimeLimits the continuous inactive time for a session.Expressed in minutes.

CPU Per SessionLimits the CPU time for a session. Expressed inhundredths of a second.

Logical Reads Per SessionLimits the number of data blocks read (from disk andmemory) in a session. Expressed as a number of blocks.

Connect TimeLimits the elapsed time of a session. Expressed inminutes.

Private SGALimits the amount of private space a session can allocatein the shared pool. Expressed as a number of bytes.

To set a limit for an attribute, click the attribute name and selecteither Default to use the limit specified in the Oracle DEFAULTresource profile; Limited to enable users to enter a value for thisresource in the Value text box; or Unlimited to enable for anunlimited amount of this resource.

Note: Use the Reset button to return the screen to the valuesthat were present when the screen was originallydisplayed; however, if you click the Add button before theReset button, any new values that you entered are savedto the profile and cannot be reset.


7.M

anag

ing

Reso

urces

6. Click the Add button to add the resource. You can add otherresources as needed.

—OR—

Click the Add & Close button to add the resource and close thedialog box.


Setting and Clearing Default ValuesYou can set or clear the default policy assigned to the DatabaseResource Profile. When you set a default value for a new resourcerecord, the attributes that have a predefined default value areautomatically set to reflect that default value. In other words, thedefault values are added to the appropriate fields on the screen. Thisenables you to quickly define the attributes for each new resourcerecord.

When you clear the default values, the attributes that have defaultsassigned are cleared. You can then enter new values for the resource.

To set or clear default values, complete the following from the AddDatabase Resource dialog box:

¶ To add default values to the resource record, click the SetDefaults button. The default policies are added to each

114 Version 2.0

applicable field on the screen.

¶ To clear any default values and enable new values to be entered,click the Clear Defaults button.


Adding a Resource Record Using the Command LineUse the wocrtresource command to add a resource profile to aprofile from the command line. For a description, syntax, example,and other command information, see “wocrtresource” on page 146.


7.M

anag

ing

Reso

urces

Editing Resource RecordsYou can edit single or multiple resource records in a profile. Thissection describes how to edit a single resource record in a profile.

The context and authorization role required for editing resourcerecords is admin. You can perform this task from either the Tivolidesktop or the command line.

Editing a Resource Record Using the DesktopTo edit a resource record, complete the following steps:

1. From the Database Resource Profile window, select theresource record that you want to modify, and click the Editbutton. The Edit Database Resource dialog box is displayed.

—OR—

Select the resource, and select Edit → Edit to display the EditDatabase Resource dialog box.

116 Version 2.0

2. Modify the appropriate values (see “Adding Resource Records”on page 109 for details) and click the Change button to save thechanges.

—OR—

Click the Change & Close button to accept your modificationsand close the dialog box.

Note: Use the Reset button to return the screen to the valuesthat were present when the screen was originallydisplayed; however, if you click the Change button beforethe Reset button, any new values that you entered aresaved to the profile and cannot be reset.

Editing a Resource Record Using the Command LineUse the wosetresource command to edit information for a resourceprofile from the command line. For a description, syntax, example,and other command information, see “wosetresource” on page 179.


7.M

anag

ing

Reso

urces

Editing Multiple Resource RecordsYou can edit single or multiple resources in a profile. This sectiondescribes how to edit multiple resources in a profile. After you editthe records, you must distribute the profile to update the database.

The context and authorization role required for editing multipleresource records is admin. You can perform this task from either theTivoli desktop or the command line.

Editing Multiple Resource Records Using the DesktopThe following steps describe how to search, sort, and then editmultiple resource records using the desktop. To simplify resourcerecord maintenance, Tivoli provides resource search or sortfunctionality by specific attribute. You can search the resourcerecords by setting the criteria for a specific attribute. Tivoli displaysand select all records that meet that criteria then enable you to editall of the selected records simultaneously. You can also sort therecords by resource or attributes, so that you can select the recordsyou want to edit.

Searching the Resource DatabaseThese steps assume that the Database Resource Profile window isdisplayed.

To search the resource database for a specific attribute, complete thefollowing steps:

118 Version 2.0

1. Select View → Find from the Database Resource Profilewindow. The Find Records dialog box is displayed.

2. From the Attributes list, select the attribute that you want tomodify.

3. To set the type of search that Tivoli performs, click thecomparison operator list, and select one of the following: ExactMatch for those records that equal a certain value; Contains forthose records that contain a certain value; Greater than for thoserecords whose value is greater than a certain value; or Less thanfor those records whose value is less than a certain value.

4. Type the value for the search criteria in the text box next to thecomparison operator list. This box is case sensitive, so you musttype the criteria as it is displayed in the database.


7.M

anag

ing

Reso

urces


—OR—


—OR—


6. When the search is complete, you can refer to the DatabaseResource Profile window to verify the appropriate records werefound. You can continue to search, or click the Close button toclose the Find Records dialog box.

7. Notice that the records found in the Database Resource Profilewindow are automatically selected. If you want to display onlythose records, click the Show Selected button.

120 Version 2.0

8. To select the filtered records, click the Select All button. You cannow edit all of the records as described in “Editing the SelectedRecords” on page 123.

Sorting by ResourceYou can sort the records to enable you to easily select specificrecords to edit. When you sort the records in the resource database,you can sort by resource names or by attributes. When you sort byresource names, the records can be sorted in ascending ordescending order.

To sort the records by resource, complete the following steps:

1. Select View → Sort → Resource from the Database ResourceProfile window.

2. The Sort Records dialog box displays with the Name recordlabel field selected as shown below. You can sort the records byName or select an attribute as described in “Sorting by Attribute”on page 122. To select the order in which the records are sorted,

select either the Ascending Sort or Descending Sort option.

3. To begin the sort, click the Sort button. The sorted records aredisplayed in the Database Resource Profile window. You canperform another sort as needed.

—OR—

Click the Sort & Close button to sort the records and close thedialog box. The newly sorted records are displayed in theDatabase Resource Profile window. You can select the recordsand edit them as described in “Editing the Selected Records” onpage 123.


7.M

anag

ing

Reso

urces

Sorting by AttributeYou can also sort the database records by specific attributes. Whenyou sort by attributes, the resources are displayed with the selectedattributes prominently displayed. After you have sorted the records,you can review them to select the records you want to edit.

To sort the records by attribute, complete the following steps:

1. To sort the database records by attributes, select View → Sort →Attributes from the Database Resource Profile window.

2. The Display Attributes dialog box is displayed so that you canselect the attributes by which to sort. All attributes that are in theAttributes Displayed list are sorted. The attributes in AttributesNot Displayed list are not sorted. Move the attributes to theappropriate list by clicking either the left or right arrow button

3. You can also set the order in which the attribute columns aredisplayed. To set the order, select the attribute from theAttributes Displayed list and click the up or down arrow

122 Version 2.0

buttons to achieve the appropriate order.

4. To begin the sort, click the Sort button. The newly sortedrecords are displayed in the Database Resource Profile window.You can perform another sort if needed.

—OR—

Click the Sort & Close button to sort the records and close thedialog box. The newly sorted records are displayed in theDatabase Resource Profile window. Notice that only theselected attributes are displayed. You can select the records to beedited as described in “Editing the Selected Records” on page123.

Editing the Selected RecordsAfter you have found or sorted the records that you want to edit,select them and edit the attributes simultaneously. You select therecords from the Database Resource Profile window.

1. To select all records in the profile, click the Select All buttonfrom the Database Resource Profile window.

—OR—

To select specific records, click the record or press the Shift keywhile selecting the records to select multiple records (the Ctrlkey enables you to select non-contiguous records).

2. To edit multiple attributes for the selected records, click the Editbutton in the Database Resource Profile window. The Select


7.M

anag

ing

Reso

urces

Attributes to Edit dialog box is displayed enabling you to selectmultiple attributes.

—OR—

To edit a single attribute for the selected records, click thespecific attribute button to display the Edit Multiple DatabaseResources dialog box.

Note: The specific attribute buttons are also the column headersfor the database records in the Database Resource Profilewindow.

Tivoli displays the Edit Multiple Resource Profiles dialog box.Only those attributes that you selected are enabled so that you

124 Version 2.0

can modify them.

3. Modify the attribute as needed, and click the Change button tosave the changes. You can edit the attribute if needed.

—OR—

Click the Change & Close button to save the changes to theprofile and close the dialog box. Tivoli displays the modifiedrecords in the Database Resource Profile window.

Note: You can click the Cancel button to cancel any unsavedchanges and close the dialog box.



7.M

anag

ing

Reso

urces

Editing Multiple Resource Records Using theCommand Line

Use the wosetresources command to edit information for multipleresource profiles from the command line. For a description, syntax,example, and other command information, see “wosetresource” onpage 179.

Copying Resource RecordsCopying resource records enables you to add resource records to aprofile by copying them from another profile. However, you canonly copy user records from one profile manager to another and therecords cannot be located in the same profile manager.

The context and authorization role required for copying a resourcerecord is admin. You can perform this task from either the Tivolidesktop or the command line.

Copying a Resource Record Using the DesktopYou must select the record to be copied from the DatabaseResource Profile window. These steps assume that this window isalready displayed.

To copy a resource record, complete the following steps:

1. From the Database Resource Profile window, select thedatabase resource record that you want to copy to another profile

126 Version 2.0

(source).


3. From the Available Profile Managers list, select the profilemanager that contains the resource profile to which the recordswill be copied (target).

4. From the Available Profiles list, select the specific profile towhere the records will be copied.


7.M

anag

ing

Reso

urces


6. To copy the resource record to the selected profile, click theCopy button. You can copy other records as needed.

—OR—

Click the Copy & Close button to copy the record and close thedialog box.

Copying a Resource Record Using the Command LineUse the wocpresource command to copy resource records betweenprofiles from the command line. For a description, syntax, example,and other command information, see “wocpresource” on page 140.

Moving Resource RecordsIn addition to copying resource records, you can also move recordsfrom one resource profile to another.

The context and authorization role required for moving a resourcerecords is admin. You can perform this task from either the Tivolidesktop or the command line.

Moving a Resource Record Using the DesktopTo move a resource record, complete the following steps:

128 Version 2.0

1. From the Database Resource Profile window, select the recordyou want to move.


3. From the Available Profile Managers list, select the profilemanager that contains the profile where the record will bemoved. All available profiles for that profile manager, appear inthe Available Profiles list.

4. From the Available Profiles list, select the specific profile wherethe record will be moved.


7.M

anag

ing

Reso

urces

5. To move the resource record, click the Move button. You canmove other records.

—OR—

Click the Move & Close button. The record is moved from oneprofile to the target profile.

Moving a Resource Record Using the Command LineUse the womvresource command to move resource records fromone profile to another from the command line. For a description,syntax, example, and other command information, see“womvresource” on page 170.

Deleting Resource RecordsWhen you delete a resource record, you must remove the recordfrom the profile and then distribute the profile to the Oracledatabase. After it is distributed, it is removed from the Oracledatabase.

The context and authorization role required for deleting a resourcerecord is admin. You can perform this task from either the Tivolidesktop or the command line.

Deleting a Resource Record Using the DesktopTo delete a resource record, complete the following steps:

1. From the Database Resource Profile window, select theresource that you want to remove from the profile, and click theDelete button.

—OR—

130 Version 2.0

Select Edit → Delete to display the Delete Resource dialog box.

2. The Delete Resource dialog box prompts you with the followingmessage: Update User Profiles? Click the Yes button if youwant to remove the resource from all user profiles, or click theNo button if you want to remove the resource without updatingthe user profiles.


Deleting a Resource Using the Command LineUse the wodelresource command to drop resource records from aprofile from the command line. For a description, syntax, example,and other command information, see “wodelresource” on page 157.


7.M

anag

ing

Reso

urces

132 Version 2.0

Running Command LinePrograms

The Tivoli Manager for Oracle User Management product offersprograms that can be run from the command line instead of from theTivoli desktop.

Two types of commands can be used: Those that begin with a “w”are Tivoli Management Framework commands, and those that beginwith a “wo” are Tivoli Manager for Oracle User Managementcommands.

For information about Tivoli Management Framework commands,refer to the Tivoli Management Framework Reference Manual. TheTivoli Manager for Oracle User Management commands aredescribed in the following sections and in the UNIX online manualpages.

These commands were developed with a “wo” plus verb and objectsyntax, which matches the way you would think of the action.

A


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

Running Tivoli CommandsMost Tivoli commands are run within a shell on a managed node oron a Tivoli Management Region (TMR) server. A shell is acommand interpreter that enables the operating system to processcommands. You can run commands from a shell’s command line orinclude them in shell scripts on either UNIX or Windows NToperating systems.

Before running Tivoli commands, you must set the Tivolienvironment variables for the shell. The managed node or TMRserver installation process supplies the scripts to set the Tivolienvironment variables. The procedures to run these scripts aredescribed in “Setting the Tivoli Environment on UNIX” on page 136and “Setting the Tivoli Environment on Windows NT” on page 136.

You must also have the appropriate Tivoli authorization role forrunning each command. The Tivoli authorization role required forrunning a command is specified in the reference information for thecommand.

Running Tivoli Commands on UNIXShells are provided with UNIX operating systems. Tivoli commandscan run in the Bourne, Korn, C, and bash shells. The Bourne shell isconsidered the standard UNIX shell and is included with everyUNIX system. The Korn shell supports some features of the Bourneshell, plus it has extensions applicable only to the Korn shell. The Cshell is named as such because of its closeness to C programminglanguage syntax. The bash shell supports many features of the UNIXshells and can be used on both UNIX and Windows NT systems.

Running Tivoli Commands on Windows NTWhen you install a Windows NT managed node or Windows NTTMR server, the installation process copies the bash shell executablefile to the machine. The bash shell supports many UNIX commandsand UNIX command syntax; for example, the forward slash (/) forthe directory separator. The bash shell supports the features of theBourne shell, plus it has some extensions applicable only to the bashshell.

134 Version 2.0

Where to Find Additional Information about ShellsThe following lists include resources where you can find additionalinformation about the various shells. These resources were availableat the time the lists were created. The lists do not show all of thematerial that is available, and Tivoli does not provide opinions orrecommendations about any of these resources.

UNIX shells:

¶ UNIX in a Nutshell: A Desktop Quick Reference for System VRelease 4 and Solaris 7 (O’Reilly Nutshell handbook) by ArnoldRobbins. ISBN: 1-56592-427-4.

¶ Portable Shell Programming: An Extensive Collection of BourneShell Examples by Bruce Blinn. ISBN: 0-13-451494-7.

¶ Learning the Korn Shell (O’Reilly Nutshell handbook) by BillRosenblatt and Mike Loukides. ISBN: 1-56592-054-6.

¶ UNIX C Shell Desk Reference by Martin Arick. ISBN:0-47-155680-7.

Bash shell:

¶ Learning the bash Shell (O’Reilly Nutshell handbook) byCameron Newham and Bill Rosenblatt. ISBN: 1-56592-347-2.

¶ A Brief Introduction to the bash Shell by Jane Anna Langley.http://www.cs.ups.edu/acl/unix_talk/bash.html

¶ Bash FAQ (GNU documentation).http://www.delorie.com/gnu/docs/bash/FAQ

¶ Bash Reference Manual (GNU documentation).http://www.gnu.org/manual/bash/index.html

¶ bash command reference information (GNU documentation).http://www.delorie.com/gnu/docs/bash/bash.1.html

Establishing the Tivoli Environment within a ShellWhen you install a managed node or TMR server, the installationprocess supplies shell setup scripts. You use these scripts to set theenvironment variables needed for running Tivoli commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

Setting the Tivoli Environment on UNIXPerform the following steps to set the Tivoli environment within aUNIX shell:

1. Log in to a UNIX managed node or TMR server.

2. Run the appropriate setup script for the shell.

For the Bourne, Korn, or bash shell, run the following command:. /etc/Tivoli/setup_env.sh

For the C shell, run the following command:source /etc/Tivoli/setup_env.csh

Setting the Tivoli Environment on Windows NTPerform the following steps to set the Tivoli environment and start abash shell on Windows NT.

Note: The location of the setup scripts in the following stepsassumes that the default port number of 94 was set for theobject dispatcher during the installation of a managed node orTMR server. If a nondefault port number is used, the portnumber is part of the Tivoli subdirectory name. For example,if port 8613 is used, the setup_env.cmd command is locatedin the %SystemRoot%\system32\drivers\etc\Tivoli-8613directory.

1. Log in to a Windows NT managed node or TMR server.

2. Open a command window.

3. Run the following command in the command window to setTivoli environment variables:%SystemRoot%\system32\drivers\etc\Tivoli\setup_env.cmd

4. Run either of the following commands in the command windowto start the bash shell:sh

—OR—bash

136 Version 2.0

Tivoli Command SyntaxThe following special characters define Tivoli command syntax:

[ ] Identifies elements that are optional. Those not enclosed inbrackets are required

... Indicates that you can specify multiple values for theprevious element. Separate multiple values by a space, unlessotherwise directed by a command’s information.

If the ellipsis for an element follows a closing bracket, usethe syntax within the brackets to specify multiple values. Forexample, to specify two administrators for the option [–aadmin]..., use –a admin1 –a admin2.

If the ellipses for an element is within the brackets, use thesyntax of the last element to specify multiple values. Forexample, to specify two hosts for the option [–h host...], use–h host host2.

| Indicates mutually exclusive information. You can use theelement on either the left or right of the vertical bar.

′{ }′ Delimits a set of mutually exclusive elements when one ofthem is required. If the elements are optional, they areenclosed in brackets ([ ]).

In addition to the special characters, the typeface conventionsdescribed in the Preface are used.

Following are two examples:

¶ wcrtpr [–a admin] ... [–s region] [–m resource] ... name

The name argument is the only required element for the wcrtprcommand. The brackets around the options indicate that they areoptional. The ellipsis after the –a admin and –m resourceoptions indicate that you can use those options multiple times tospecify multiple administrators and resources, respectively.

¶ wchkdb [–o outfile] [–u] [–x] ′{–f infile | –i | object ...}′


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

The –f, –i, and object elements are mutually exclusive. Thebraces surrounding them indicate that one of these elements isrequired. If you specify the object argument, you can specifymore than one object.

List of CommandsThe following table lists command names, purpose statements, andrequired roles:

Command Purpose Required Role

wocpresource Copies Oracle resource recordsbetween profiles

admin

wocprole Copies Oracle role records betweenprofiles

admin

wocpuser Copies Oracle user records betweenprofiles

admin

wocrtresource Creates a new Oracle resource record admin

wocrtrole Creates a new Oracle role record admin

wocrtuser Creates a new Oracle user record admin

wocryptpw Encrypts or decrypts Tivoli encodedpasswords

ESMPassword,DecryptRole

wodelresource Deletes Oracle resource records admin

wodelrole Deletes Oracle role records admin

wodeluser Deletes Oracle user records admin

wogetresource Lists information about an existingOracle resource

user

wogetrole Lists information about an existingOracle role

user

wogetuser Lists information about an existingOracle user

user

wolsresources Lists the Oracle resources in aprofile

user

wolsroles Lists the Oracle roles in a profile user

wolsusers Lists the Oracle users in a profile user

138 Version 2.0

Command Purpose Required Role

womvresource Moves Oracle resources from oneprofile to another

admin

womvrole Moves Oracle roles from one profileto another

admin

womvuser Moves Oracle users from one profileto another

admin

wopopresources Populates a resource profile from anOracleDatabaseManager resource

admin,oracle_user

wopoproles Populates a role profile from anOracleDatabaseManager resource

admin,oracle_user

wopopusers Populates a user profile from anOracleDatabaseManager resource

admin,oracle_user

wosetresource Modifies the attributes of an Oracleresource record

admin,oracle_user

wosetresources Modifies the attributes of multipleOracle resource records

admin

wosetrole Modifies the attributes of an Oraclerole record

admin

wosetroles Modifies the attributes of multipleOracle role records

admin

wosetuser Modify the attributes of an Oracleuser record

admin

wosetusers Modifies the attributes of multipleOracle user records

admin

wocprole Copies Oracle role records betweenprofiles

admin


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocpresource

DescriptionCopies Oracle resource records between profiles, provided they arein different profile managers.

Authorization Roleadmin

CLI Syntaxwocpresource source destination [resource_name ...]

where:

source Specifies the profile from which the resource recordsare copied.

destination Specifies the profile to which the resource recordsare copied.

resource name Specifies a resource name in the resource profile.This argument can be specified multiple times.

CLI ExampleThe following command example copies a resource record from oneprofile to another.wocpresource NorthAmerica International EpsonLP1

where:

NorthAmerica Identifies the profile from which to copy theresource record.

InternationalIdentifies the profile to which to copy the resourcerecord.

EpsonLP1 Identifies the resource record to copy.

Usage NotesThe wocpresourcecommand copies one or more resource recordsspecified in the resource_name argument from the source profile to

140 Version 2.0

the destination profile. If resource_name is not specified, all resourcerecords from the source profile are copied to the destination profile.The source and destination profiles must be in different profilemanagers.

See AlsoThe wodelresource and womvresource commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocprole

DescriptionCopies Oracle role records between profiles, provided they are indifferent profile managers.


CLI Syntaxwocprole source_profile destination_profile [role_name ...]

where:

source_profile Specifies the profile from which the role records arecopied.

destination_profileSpecifies the profile to which the role records arecopied.

role_name Specifies a role name in the role profile. Thisargument can be specified multiple times.

CLI ExampleThe following command example copies a role record from oneprofile to another.wocprole accounting human_resource PAYROLL

where:

accounting Identifies the profile from which to copy the rolerecord.

human_resourceIdentifies the profile to which the role record iscopied.

PAYROLL Identifies the role record to copy.

142 Version 2.0

Usage NotesThe wocprole command copies one or more role records specified inthe role_name argument from the profile specified in thesource_profile argument to the profile specified in thedestination_profile argument. If role_name is not specified, all rolerecords from the source profile are copied to the destination profile.The source and destination profiles must be in different profilemanagers.

See AlsoThe wodelrole and womvrole commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocpuser

DescriptionCopies Oracle user records between profiles, provided they are indifferent profile managers.


CLI Syntaxwocpuser source_profile destination_profile [user_name ...]

where:

source_profile Specifies the profile from which the user records arecopied.

destination_profileSpecifies the profile to which the user records arecopied.

user_name Specifies a user name in the user profile. Thisargument can be specified multiple times.

CLI ExampleThe following command example copies a user record from oneprofile to another.wocpuser accounting human_resource R_LYNCH

where:

accounting Identifies the profile from which to copy the userrecord.

human_resourceIdentifies the profile to which the user record iscopied.

R_LYNCH Identifies the user record to copy.

144 Version 2.0

Usage NotesThe wocpuser command copies one or more user records specifiedin the user_name argument from the profile specified in thesource_profile argument to the profile specified in thedestination_profile argument. If user_name is not specified, all userrecords from the source profile are copied to the destination profile.The source and destination profiles must be in different profilemanagers.

See AlsoThe wodeluser and womvuser commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocrtresource

DescriptionCreates a new Oracle resource record.


CLI Syntax

wocrtresource[–c ′{type value}′][–C ′{type value}′][–i ′{type value}′][–l ′{type value}′][–p ′{type value}′][–r ′{type value}′][–R ′{type value}′][–s ′{type value}′][–t ′{type value}′][[–x attr_name attr_value] ... ]profile_name resource_name

where:

–x attr_name attr_valueSets the value of the attribute attr_name (addedusing Tivoli/AEF) to attr_value. This option may berepeated.

profile_name Specifies the name of the profile in which to createthe resource record.

resource_nameSpecifies the resource name.

The remaining options are all followed by an argument of the form′{type value}′, where type is one of DEFAULT, LIMITED, orUNLIMITED, and value is the numerical value to be assigned.

–c CPU per call

146 Version 2.0

–C CPU per session

–i Idle time

–l Composite limit

–p Private SGA

–r Logical reads per call

–R Logical reads per session

–s Sessions per user

–t Connect time

CLI Examplewocrtresource -c '{DEFAULT 0}' -c '{LIMITED 69}'-i '{UNLIMITED 0}' -l '{DEFAULT 0}' -p '{LIMITED 9600}'-r '{UNLIMITED 0}' -R '{DEFAULT 0}' -s '{LIMITED 69}'-t '{UNLIMITED 0}' oracle_resources misc_res

where:

-c '{DEFAULT 0}'Specifies the default CPU per call.

-c '{LIMITED 69}'Specifies a limit of 69 for CPU per session.

-i '{UNLIMITED 0}'Specifies unlimited idle time.

-l '{DEFAULT 0}'Specifies the default composite limit.

-p '{LIMITED 9600}'Specifies a limit of 9600 for SGA size.

-r '{UNLIMITED 0}'Specifies an unlimited number of reads per call.

-R '{DEFAULT 0}'Specifies a default number of logical reads persession.

-s '{LIMITED 69}'Specifies a limit of 69 sessions per user.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

-t '{UNLIMITED 0}'Specifies an unlimited connect time.

oracle_resourcesIdentifies the profile in which to create the resource.

misc_res Provides the name of the resource to create.

Usage NotesThe wocrtresource command creates a new resource specified bythe resource_name argument in the Oracle resource profile specifiedby the profile_name argument. Any attributes not explicitly specifiedon the command line are generated from the resource default record.If an attribute is neither specified on the command line nor defaultedby the profile, an error is generated and the resource record is notcreated. All attributes are validated against the profile validationpolicy.

See AlsoThe wosetresource, wodelresource, and wogetresource commands.

148 Version 2.0

wocrtrole

DescriptionCreates a new Oracle role record.


CLI Syntax

wocrtrole[–a NONE | OS | PASSWORD][–p password][–R assigned_roles][–S system_privileges][[–x attr_name attr_value] ...]profile_name role_name

where:

–a NONE Selects no authentication.

–a OS Selects OS authentication.

–a PASSWORDSelects password authentication.

–p password Specifies a password.

–R assigned rolesSpecifies the assigned roles of this role, whereassigned_roles is a string representation of asequence of the form:

′{count [{role_name is_grantable is_default}] ... }′

where count is the number of assigned roles,role_name is the double-quoted role name, andis_grantable and is_default can take the value TRUEor FALSE.

For example:'{2 {"payroll" FALSE FALSE}{"payables" FALSE TRUE}}'


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

–S system_privilegesSpecifies the role’s system privileges, wheresystem_privileges is a string representation of asequence of the form:

′{count [{privilege is_grantable}] ... }′

where count is the number of privileges, privilege isthe double-quoted privilege name, and is_grantabletakes the value TRUE or FALSE.

For example:'{2 {"updatesalary" FALSE}{"createsalary" FALSE}}'

–x attr_name attr_valueSets the value of the attribute attr_name (addedusing Tivoli/AEF) to attr_value.

profile_name Specifies the name of the profile in which to createthe role record.

role_name Specifies the role name.

CLI Examplewocrtrole -a PASSWORD -p new_role1 -R '{2 {"payroll" FALSE FALSE}{"payables" FALSE TRUE}}' -S '{2 {"updatesalary" FALSE}{"createsalary" FALSE}}' oracle_roles new_role

where:

-a PASSWORD Specifies that the role is password authenticated.

-p new_role1 Identifies the password for the role as “new_role1.”

-R '{2 {"payroll" FALSE FALSE} {"payables" FALSE TRUE}}'Specifies that the new role has two assigned roles:payroll, which is not grantable and is not thedefault, and payables, which is not grantable, but isthe default.

-S '{2 {"updatesalary" FALSE} {"createsalary" FALSE}}'Specifies that the new role has two systemprivileges: updatesalary and createsalary,neither of which is grantable.

150 Version 2.0

oracle_roles Identifies the profile in which to create the role.

new_role Provides the name of the new role.

Usage NotesThe wocrtrole command creates a new role specified by therole_name argument in the Oracle role profile specified by theprofile_name argument. Any attributes not explicitly specified on thecommand line are generated from the role default record. If anattribute is neither specified on the command line nor defaulted bythe profile, an error is generated and the role record is not created.All attributes are validated against the profile validation policy.

See AlsoThe wosetrole, wodelrole, and wogetrole commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocrtuser

DescriptionCreates a new Oracle user record.


CLI Syntax

wocrtuser[–a TRUE | FALSE][–o TRUE | FALSE][–p password][–d default_tablespace][–t temporary_tablespace][–R roles][–S system_privileges][–O object_privileges][–Q quotas][–r resource_profile][[–x attr_name attr_value] ... ]profile_name user_name

where:

–a TRUE Selects OS authentication.

–a FALSE Selects database authentication.

–o TRUE Allows the Oracle user to change the password

–o FALSE Disallows the Oracle user from changing thepassword


–d default_tablespaceSpecifies a default tablespace.

–t temporary_tablespaceSpecifies a temporary tablespace

152 Version 2.0

–R roles Specifies the user’s roles, where roles is a stringrepresentation of a sequence of the form:


where count is the number of roles, role_name is thedouble-quoted role name, and is_grantable andis_default can take the value TRUE or FALSE.

For example:'{2 {"payroll" TRUE FALSE}{"payables" FALSE TRUE}}'

–S system_privilegesSpecifies the user’s system privileges, wheresystem_privileges is a string representation of asequence of the form:



For example:'{2 {"updatesalary" FALSE}{"createsalary" TRUE}}'

–O object_privilegesSpecifies the user’s object privileges, whereobject_privileges is a string representation of asequence of the form:

′{priv_count [{grantee privilege {col_count [column]... } schema object is_grantable}] ... }

where priv_count is the number of privileges,grantee is the name of the user receiving thisprivilege, privilege is the privilege name, col_countis the number of columns this applies to, column is acolumn name, schema is the schema name of thedatabase, object is the object name, and is_grantablecan take the value TRUE or FALSE. The names areall double quoted.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

For example:'{1 {"R_LYNCH" "update" {1 "Salary"}"Acctg1" "GrossPay" FALSE}}

–Q quotas Specifies the user’s quotas, where quotas is a stringrepresentation of a sequence of the form:

′{count [{tablespace is_limited limit_value}] ... }′

where count is the number of quotas, tablespace isthe double-quoted tablespace name, is_limited cantake the value TRUE or FALSE, and limit_value isthe numerical value of the limit.

For example:'{2 {"Acctg_01" FALSE 0}{"Acctg_02" TRUE 5}}

–r resource_profileSpecifies a resource profile.


profile_name Specifies the name of the profile in which to createthe user record.

user_name Specifies the user’s name

CLI Examplewocrtuser -a FALSE -o TRUE -p rsmith -r default -d SYSTEM-t TEMP -R '{2 {"payroll" TRUE FALSE} {"payables" FALSE TRUE}}'-S '{2 {"updatesalary" FALSE} {"createsalary" TRUE}}'-O '{1 {"R_LYNCH" "Updage" {1 "Salary"} "GrossPay" "Acctg1" FALSE}}'-Q '{2 {"TEMP" FALSE 0} {"USER" TRUE 50000}}' oracle_users r_lynch

where:

-a FALSE Specifies that the user is not OS authorized

-o TRUE Specifies that the user can change the password

-p rsmith Identifies the password as “rsmith”

-r default Specifies that the resource profile is the “default

154 Version 2.0

-d SYSTEM Identifies the default tablespace as “SYSTEM”

-t TEMP Identifies the temporary tablespace as “TEMP”

-R '{2 {"payroll" TRUE FALSE} {"payables" FALSE TRUE}}Specifies that the user has two roles: payroll, whichis grantable but not the default, and payables, whichis not grantable but is the default.

-S '{2 {"updatesalary" FALSE} {"createsalary" TRUE}}'Specifies that the user has two system privileges:updatesalary, which is not grantable, andcreatesalary, which is grantable.

-O '{1 {"R_LYNCH" "update" {1 "Salary"} "GrossPay""Acctg1" FALSE}}'

Specifies that the user has one object privilege. Inthis case, a user called R_LYNCH receives the updateprivilege on column Salary for the objectGrossPay.Acctg1. This privilege is not grantable.

-Q '{2 {"TEMP" FALSE 0} {"USER" TRUE 50000}}'Specifies that the user has two tablespace quotas. Intablespace TEMP, the user can allocate unlimitedspace. In tablespace USER, the user can allocate up to50000 bytes.

oracle_users Identifies the profile in which to create the new user.

r_lynch Provides the name of the new user.

Usage NotesThe wocrtuser command creates a new Oracle user specified by theuser_name argument in the Oracle user profile specified by theprofile_name argument. Any attributes not explicitly specified on thecommand line are generated from the user default record. If anattribute is neither specified on the command line nor defaulted bythe profile, an error is generated and the user record is not created.All attributes are validated against the profile validation policy.

See AlsoThe wosetuser, wodeluser, and wogetuser commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wocryptpw

DescriptionEncrypts or decrypts Tivoli encoded passwords. (For Tivoli internaluse only.

Authorization RoleESMPasswordDecryptRole

CLI Syntaxwocryptpw [–d] [–e] password

where:

–d Decrypts a password.

–e Encrypts a password.

password Identifies the password to be encrypted or decrypted.

CLI ExampleThe following command examples encrypt and decrypt a password:wocryptpw -d katie

wocryptpw -e abcdefg123456789

Usage NotesThis command is provided to allow validation of password fields andis available to be run only from within validation policy scripts.

See AlsoNone

156 Version 2.0

wodelresource

DescriptionDeletes Oracle resource records.


CLI Syntaxwodelresource [–u] profile_name resource_name ...

where:

–u Finds occurrences of this resource in User Profilesand changes them to DEFAULT.

profile_name Specifies the name of the profile from which todelete the records.

resource_nameSpecifies resource names of the records to delete.This argument can be specified multiple times.

CLI ExampleThe following command example deletes two resource records:wodelresource accounting CPARKER BTURNER

where:

accounting Identifies the profile from which to delete theresource record.

CPARKER and BTURNERIdentify the names of the resource records to delete.

Usage NotesThe wodelresource command deletes the resource or resourcesspecified in the resource_name argument from the profile specifiedin the profile_name argument

ContextThe wocrtresource command.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wodelrole

DescriptionDeletes Oracle role records.


CLI Syntaxwodelrole profile_name role_name ...

where:


role_name Specifies role names of the records to delete. Thisargument can be specified multiple times.

CLI ExampleThe following command example deletes two role records:wodelrole humanresource LSMITH RPOSSO

where:

humanresourceIdentifies the profile from which to delete the rolerecord.

LSMITH RPOSSOIdentifies the names of the role records to delete.

Usage NotesThe wodelrole command deletes the role or roles specified in therole_name argument from the profile specified in the profile_nameargument.

See AlsoThe wocrtrole command.

158 Version 2.0

wodeluser

DescriptionDeletes Oracle user records.


CLI Syntaxwodeluser profile_name user_name ...

where:


user_name Specifies user names of the records to delete. Thisargument can be specified multiple times.

CLI ExampleThe following command example deletes a user record:wodeluser accounting LJOHNSON

where:

accounting Identifies the profile from which to delete the userrecord

LJOHNSON Identifies the user record to delete.

Usage NotesThe wodeluser command deletes the user or users specified in theuser_name argument from the profile specified in the profile_nameargument.

See AlsoThe wocrtuser command.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wogetresource

DescriptionLists information about an existing Oracle resource.

Authorization Roleuser

CLI Syntaxwogetresource [–c] [–C] [–i] [–l] [–p] [–r] [–R] [–s] [–t] [–x]profile_name resource_name

where:

–c Returns the CPU per call

–C Returns the CPU per session

–i Returns the idle time

–l Returns the composite limit

–p Returns the private SGA

–r Returns the number of logical reads per call

–R Returns the number of logical reads per session

–s Returns the number of sessions per user

–t Returns the connect time

–x Lists the role’s AEF attributes, detailing for each onethe attribute name and value.



If no options are specified, the command behaves as if all optionswere specified.

160 Version 2.0

CLI Examplewogetresource northamerica_mktg ab3print_ibm

Database Resource Details:Resource Name: AB3PRINT_IBMCPU Per Call: DefaultCPU Per Session: 69Idle Time: UnlimitedComposite Limit: DefaultPrivate SGA: 96Logical Reads Per Call: UnlimitedLogical Reads Per Session: DefaultSessions Per User: 69Connect Time: Unlimited

AEF attributes:None.

Usage NotesThe wogetresource command lists information about the existingresource specified in the resource_name argument from the profilespecified in the profile_name argument.

See AlsoThe wocrtresource, wosetresource, and wosetresources commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wogetrole

DescriptionLists information about an existing Oracle role.


CLI Syntaxwogetrole [–a] [–p] [–R] [–S] [–x] profile role_name

where:

–a Returns the authentication type.

–p Returns the password.

–R Lists the role’s assigned roles, detailing for each onethe role name, whether it is a grantable role, andwhether it is a default role.

–S Lists the role’s system privileges, detailing for eachone the name and whether it is grantable.

–x Lists the role’s AEF attributes, detailing for each onethe attribute name and value.

profile Specifies the name of the profile.

role_name Specifies the name of the Oracle role.


CLI ExampleThe following command example lists all of a role record’sattributes:wogetrole NorthAmerica payroll

Database Role Details:Role Name: RECEIVABLE_1Authentication: PASSWORDPassword: _FjKlU0RbtXe003V1cGM31C

162 Version 2.0

Assigned Roles:PAYROLL:

Grant Option: NoDefault Role: No

PAYABLES:Grant Option: NoDefault Role: Yes

System Privileges:updatesalary:

Grant Option: Nocreatesalary:

Grant Option: No


Usage NotesThe wogetrole command lists information about the existing rolespecified in the role_name argument from the profile specified in theprofile argument.

See AlsoThe wocrtrole, wosetrole, and wosetroles commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wogetuser

DescriptionLists information about an existing Oracle user.


CLI Syntaxwogetuser [–a] [–o] [–p] [–r] [–d] [–t] [–R] [–S] [–O] [–Q] [–x]profile user_name

where:

–a Returns the authentication type

–o Indicates whether the Oracle user has control of thepassword.

–p Returns the password.

–r Returns the resource profile name.

–d Returns the default tablespace name.

–t Returns the temporary tablespace name.

–R Lists the user’s roles, detailing for each one the rolename, whether it is a grantable role, and whether itis a default role.

–S Lists the user’s system privileges, detailing for eachone the name and whether it is grantable.

–O Lists the user’s object privileges, detailing for eachone the grantee, the privilege name, the schemaname, the object name, whether it is grantable, and alist of columns to which it applies.

–Q Lists the user’s quotas, detailing for each one thetablespace name and the size, which is eitherunlimited or a numerical value in bytes.

–x Lists the user’s AEF attributes, detailing for each onethe attribute name and value.

164 Version 2.0

profile Specifies the name of the profile.

user_name Specifies the name of the Oracle user.


CLI ExampleThe following example lists all of a user record’s attributes:wogetuser NorthAmerica jw_smith

Database User Details:User Name: JW_SMITHAuthentication: DatabaseCan the Oracle user change password: YesPassword: _FzAfzYXYJFAY4HbTCResource Profile: DEFAULTTemporary Tablespace: TEMPDefault Tablespace: SYSTEM

Roles:PAYROLL:

Grant Option: YesDefault Role: No

RECEIVABLES:Grant Option: NoDefault Role: Yes

System Privileges:createsalary:

Grant Option: Noupdatesalary:

Grant Option: Yes

Object Privileges:Update:

Schema: Acctg1Object: GrossPayGrantee: r_lynchGrant Option: NoColumn: Salary

Quotas:None.



A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

Usage NotesThe wogetuser command lists information about the existing userspecified in the user_name argument from the profile specified in theprofile argument

See AlsoThe wocrtuser, wosetuser, and wosetusers commands.

166 Version 2.0

wolsresources

DescriptionLists the Oracle resources in a profile.


CLI Syntaxwolsresources profile

where profile specifies the name of the resource profile whosemembers to list.

CLI ExampleThe following example lists all the resources in a profile:wolsresources NorthAmerica

which returns:SMITHLYNCHBROWNDAVISBAKERMORGANDORHAMFARMERHUBBARD

Usage NotesThe wolsresources command lists the names of the resources thatare members of the 0racle resource profile specified in the profileargument.

See AlsoThe wogetresource command.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wolsroles

DescriptionLists the Oracle roles in a profile.


CLI Syntaxwolsroles profile

where profile specifies the name of the resource profile whosemembers to list.

CLI ExampleThe following example lists all the roles in a profile:wolsroles NorthAmerica

which returns:PAYROLLPAYABLESRECEIVABLESINVOICECREDIT

Usage NotesThe wolsroles command lists the names of the roles that aremembers of the Oracle role profile specified in the profile argument.

See AlsoThe wogetrole command.

168 Version 2.0

wolsusers

DescriptionLists the Oracle users in a profile.


CLI Syntaxwolsusers profile

where profile specifies the name of the user profile whose membersto list.

CLI ExampleThe following command example lists all the users in a profile:wolsusers NorthAmerica_Mktg

which returns:HAWKINSWEBSTERYOUNGGORDONCOLTRANEROLLINSSHORTERHENDERSONSHEPPARDWELLINSRAMIREZ

Usage NotesThe wolsusers command lists the names of the users that aremembers of the Oracle user profile specified in the profile argument.

See AlsoThe wogetuser command.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

womvresource

DescriptionMove Oracle resources from one profile to another.


CLI Syntaxwomvresource source destination [resource_name...]

where:

source Specifies the profile from which the resource recordsare moved.

destination Specifies the profile to which the resource recordsare moved.

resource_nameSpecifies the resource name of the record to move.This argument can be specified multiple times

CLI ExampleThe following command example moves a resource record from oneprofile to another:womvresource NorthAmerica International jw_smith

where:

NorthAmerica Identifies the profile from which to move theresource record.

InternationalIdentifies the profile to which the resource record ismoved.

jw_smith Identifies the resource record to move.

Usage NotesThe womvresource command moves one or more resourcesidentified by the resource_name argument from the profile specified

170 Version 2.0

in the source argument to the profile specified in the destinationargument. If resource_name is not specified, all resources in theprofile are moved.

See AlsoThe wocpresource and wolsresources commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

womvrole

DescriptionMoves Oracle roles from one profile to another.


CLI Syntaxwomvrole source_profile destination_profile [role_name...]

where:

source_profile Specifies the profile from which the role records aremoved.

destination_profileSpecifies the profile to which the role records aremoved.

role_name Specifies the role name of the record to move. Thisargument can be specified multiple times.

CLI ExampleThe following command example moves a role record from oneprofile to another:womvrole NorthAmerica International payroll

where:

NorthAmerica Identifies the profile from which to move the rolerecord.

InternationalIdentifies the profile to which the role record ismoved.

payroll Identifies the role record to move.

Usage NotesThe womvrole command moves one or more roles identified by therole_name argument from the profile specified in the source_profile

172 Version 2.0

argument to the profile specified in the destination_profile argument.If role_name is not specified, all roles in the profile are moved.

See AlsoThe wocprole and wolsroles commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

womvuser

DescriptionMoves Oracle users from one profile to another.


CLI Syntaxwomvuser source_profile destination_profile [user_name...]

where:

source_profile Specifies the profile from which the user records aremoved.

destination_profileSpecifies the profile to which the user records aremoved

user_name Specifies the user name of the record to move. Thisargument can be specified multiple times.

CLI ExampleThe following command example moves a user record from oneprofile to another:womvuser International NorthAmerica r_lynch

where:

internationalIdentifies the profile from which to move the userrecord.

NorthAmerica Identifies the profile to which the user record ismoved.

r_lynch Identifies the user record to move

Usage NotesThe womvuser command moves one or more users identified by theuser_name argument from the profile specified in the source_profile

174 Version 2.0

argument to the profile specified in the destination_profile argument.If user_name is not specified, all users in the profile are moved.

See AlsoThe wocpuser and wolsusers commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wopopresources

DescriptionPopulates a resource profile from an OracleDatabaseManagerresource.

Authorization Roleadmin and oracle_user

CLI Syntaxwopopresources [–m | –o] database_name profile_name

where:

–m An entry that exists on a database_name andprofile_name is not updated, but any other entries ondatabase_name are appended to profile_name.

–o Any entry in database_name is written intoprofile_name. An attempt to add an existing recordwill result in the old record being overwritten.

database_nameSpecifies the database name.

profile_name Identifies the resource profile to populate.

CLI Examplewopopresources -o orcl@hyde oracle_resources

Usage NotesThe wopopresources command populates theOracleResourceManagerProfile profile_name from theOracleDatabaseManager database_name. Existing entries inprofile_name can either be appended to or overwritten depending onthe options specified.

See AlsoThe wopoproles and wopopusers commands.

176 Version 2.0

wopoproles

DescriptionPopulates a role profile from an OracleDatabaseManager resource.


CLI Syntaxwopoproles [–m | –o] database_name profile_name

where:

–m An entry that exists on database_name andprofile_name is not updated, but any other entries ondatabase_name are appended to profile_name.



profile_name Identifies the user profile to populate.

CLI Examplewopoproles -o orcl@hyde oracle_users

Usage NotesThe wopoproles command populates the OracleRoleManagerProfileprofile_name from the OracleDatabaseManager database_name.Existing entries in profile_name can either be appended to, oroverwritten, depending on the options specified.

See AlsoThe wopoproles and wopopresources commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wopopusers

DescriptionPopulates a user profile from an OracleDatabaseManager resource.


CLI Syntaxwopopusers [–m | –o] database_name profile_name

where:

–m An entry that exists on database_name andprofile_name is not updated, but any other entries ondatabase_name are appended to profile_name.



profile_name Identifies the user profile to populate.

CLI Examplewopopusers -o orcl@hyde oracle_users

Usage NotesThe wopopusers command populates the OracleUserManagerProfileprofile_name from the OracleDatabaseManager database_name.Existing entries in profile_name can either be appended to oroverwritten depending on the options specified.

See AlsoThe wopoproles and wopopresources commands.

178 Version 2.0

wosetresource

DescriptionModifies the attributes of an Oracle resource record.


CLI Syntax

wosetresource[–c ′{type value}′][–C ′{type value}′][–i ′{type value}′][–l ′{type value}′][–p ′{type value}′][–r ′{type value}′][–R ′{type value}′][–s ′{type value}′][–t ′{type value}′][[–x attr_name attr_value] ... ]profile_name resource_name

where:

–x attr_name attr_valueSets the value of the attribute attr_name (addedusing Tivoli/AEF) to attr_value. This option can berepeated.



The remaining options are all followed by an argument of the form:

′{type value}′


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

where type is one of DEFAULT, LIMITED, or UNLIMITED, andvalue is the numerical value to be assigned.

–c CPU per call


–i Idle time


–p Private SGA




–t Connect time

CLI Examplewosetresources -c '{UNLIMITED 0}' oracle_resources misc_res misc_res2

Usage NotesThe wosetresources command modifies the attributes of the existingOracle resources identified by the resource_name argument, in theOracle resource profile specified by the profile_name argument. Allattributes are validated against the profile validation policy.


180 Version 2.0

wosetresources

DescriptionModifies the attributes of multiple Oracle resource records.


CLI Syntax

wosetresources[–c ′{type value}′][–C ′{type value}′][–i ′{type value}′][–l ′{type value}′][–p ′{type value}′][–r ′{type value}′][–R ′{type value}′][–s ′{type value}′][–t ′{type value}′][[–x attr_name attr_value] ... ]profile_name resource_name ...

where:

–x attr_name attr_valueSets the value of the attribute attr_name (addedusing Tivoli/AEF) to attr_value. This option may berepeated.

profile_name Specifies the name of the profile in which to find theresource records.

resource_nameSpecifies a resource name. This argument can berepeated.

The remaining options are all followed by an argument of the form:

′{type value}′


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

where type is one of DEFAULT, LIMITED, or UNLIMITED, andvalue is the numerical value to be assigned.

–c CPU per call


–i Idle time


–p Private SGA




–t Connect time

CLI Examplewosetresources -c '{UNLIMITED 0}' oracle_resources misc_res misc_res2

Usage NotesThe wosetresources command modifies the attributes of the existingOracle resources identified by the resource_name argument, in theOracle resource profile specified by the profile_name argument. Allattributes are validated against the profile validation policy.


182 Version 2.0

wosetrole

DescriptionModifies the attributes of an Oracle role record.


CLI Syntax

wosetrole[–a NONE | OS | PASSWORD][–R assigned_roles][–p password][–S system_privileges][–n new_role_name][[–x attr_name attr_value] ... ]profile_name role_name

where:




–R assigned_rolesSpecifies the assigned roles of this role, whereassigned_roles is a string representation of asequence of the form:



For example:'{2 {"payroll" TRUE TRUE}{"payables" TRUE FALSE}}'


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams


–S system_privilegesSpecifies the role’s system privileges, wheresystem_privileges is a string representation of asequence of the form:



–n new_role_nameChanges the role name.


profile_name Specifies the name of the profile in which to find therole record.

role_name Specifies the role name.

CLI Examplewosetrole -R '{1 {"International" FALSE FALSE}}' oracle_roles test_role

Usage NotesThe wosetrole command modifies the attributes of the existingOracle role identified by the role_name argument in the Oracle roleprofile specified by the profile_name argument. All attributes arevalidated against the profile validation policy.

See AlsoThe wocrtrole, wosetroles, and wogetrole commands.

184 Version 2.0

wosetroles

DescriptionModifies the attributes of multiple Oracle role records.


CLI Syntax

wosetroles[–a NONE | OS | PASSWORD]][–p password][–R assigned_roles][–S system_privileges][[–x attr_name attr_value] ... ] profile_name role_name ...

where:




–R assigned_rolesSpecifies the assigned roles of these roles, whereassigned_roles is a string representation of asequence of the form:



For example:'{2 {"payroll" FALSE FALSE} \{"payables" TRUE FALSE}}'



A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

–S system_privilegesSpecifies the roles’ system privileges, wheresystem_privileges is a string representation of asequence of the form:



For example:'{2 {"updatesalary" TRUE} {"createsalary" TRUE}}'


profile_name Specifies the name of the profile in which to find therole records

role_name Specifies a role name. This argument can bespecified multiple times.

CLI Examplewosetroles -R '{1 {"NorthAmerica" FALSE FALSE 0}}' oracle_usersjw_smith

Usage NotesThe wosetroles command modifies the attributes of the existingOracle roles identified by the role_name arguments in the Oraclerole profile specified by the profile_name argument. All attributes arevalidated against the profile validation policy.

See AlsoThe wocrtrole, wosetrole, and wogetrole commands.

186 Version 2.0

wosetuser

DescriptionModifies the attributes of an Oracle user record.


CLI Syntax

wosetuser[–a TRUE | FALSE][–o TRUE | FALSE][–p password][–d default_tablespace][–t temporary_tablespace][–R roles][–S system_privileges][–O object_privileges][–Q quotas][–r resource_profile][[–x attr_name attr_value] ... ][–u new_user_name]profile_name user_name

where:



–o TRUE Allows Oracle user to change password.

–o FALSE Disallows Oracle user from changing password.



–t temporary_tablespaceSpecifies a temporary tablespace.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams




For example:'{2 {"createinvoice" FALSE}"creditinvoice" FALSE}}'

–O object_privilegesSpecifies the user’s object privileges, whereobject_privileges is a string representation of asequence of the form:

′{priv_count [{grantee privilege {col_count [column]... } schema object is_grantable}] ... }′

where priv_count is the number of privileges,grantee is the name of the user receiving theprivilege, privilege is the privilege name, col_countis the number of columns this applies to, column is acolumn name, schema is the schema name, object isthe object name, and is_grantable can take the valueTRUE or FALSE. The names are all double quoted.

For example:'{1 {"jw_smith" "create" {1 "Invoice"}"Acctg2" "invoice" TRUE}}'

–Q quotas Specifies the user’s quotas, where quotas is a stringrepresentation of a sequence of the form:


where countis the number of quotas, tablespace isthe double-quoted tablespace name, is_limited cantake the value TRUE or FALSE, and limit_value isthe numerical value of the limit.

For example:

188 Version 2.0

’{2 {"Invoices" TRUE 70}"Credits" TRUE 160}}'



–u new_user_nameChanges the user name.

profile_name Specifies the name of the profile.

user_name Specifies the user’s current name.

CLI Examplewosetuser -Q '{1 {"SYSTEM" FALSE 0}}' oracle_users jw_smith

Usage NotesThe wosetuser command modifies the attributes of the existingOracle user identified by the user_name argument in the Oracle userprofile specified by the profile_name argument. All attributes arevalidated against the profile validation policy.

See AlsoThe wocrtuser, wodeluser, and wogetuser commands.


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

wosetusers

DescriptionModifies the attributes of multiple Oracle user records.


CLI Syntax

wosetusers[–a TRUE | FALSE][–o TRUE | FALSE][–p password][–d default_tablespace][–t temporary_tablespace][–R roles][–S system_privileges][–O object_privileges][–Q quotas][–r resource_profile][[–x attr_name attr_value] ... ]profile_name user_name ...

where:



–o TRUE Allows Oracle user to change password.

–o FALSE Disallows Oracle user from changing password.



–t temporary_tablespaceSpecifies a temporary tablespace.

190 Version 2.0




For example:'{2 {"invoice" FALSE TRUE}{"receive" FALSE FALSE}}'

–S system_privilegesSpecifies the users’ system privileges, wheresystem_privileges is a string representation of asequence of the form:



For example:'{2 {"createinvoice" FALSE}{"creditinvoice" FALSE}}'

–O object_privilegesSpecifies the users’ object privileges, whereobject_privileges is a string representation of asequence of the form:

′{priv_count [{grantee privilege {col_count [column]... } schema object is_grantable}] ... }′

where priv_count is the number of privileges,grantee is the name of the user receiving theprivilege, privilege is the privilege name, col_countis the number of columns this applies to, column is acolumn name, schema is the schema name, object isthe object name, and is_grantable can take the valueTRUE or FALSE. The names are all double quoted.

For example:


A.

Ru

nn

ing

Co

mm

and

Lin

eP

rog

rams

'{1 {"jw_smith" "credit" {1 "Invoice"} "Acctg2" "invoice" FALSE}}'

–Q quotas Specifies the users’ quotas, where quotas is a stringrepresentation of a sequence of the form:


where count is the number of quotas, tablespace isthe double-quoted tablespace name, is_limited cantake the value TRUE or FALSE, and limit_value isthe numerical value of the limit.

For example:'{2 {"Credits" TRUE 100}{"Returns" FALSE 0}}'



–u new_user_nameChanges the user name.

profile_name Specifies the name of the profile.

user_name Specifies each user name. This argument can bespecified multiple times.

CLI Examplewosetusers -Q '{1 {"SYSTEM" FALSE 0}}' oracle_users jw_smith r_lynch

Usage NotesThe wosetusers command modifies the attributes of the multipleOracle users identified by the user_name arguments in the Oracleuser profile specified by the profile_name argument. All attributesare validated against the profile validation policy.

See AlsoThe wocrtuser, wodeluser, and wogetuser commands.

192 Version 2.0

Index

Aappending profiles 38attributes

buttons 79, 124default policy 21editing resources 123editing user 79sorting resources 122

authentication 56, 91

Bblocks read

per call 113per session 113

buttonsattribute 79, 124

Cclear

default values for resources 114default values for roles 92default values for users 58

commandsrunning 133running Tivoli 134running Tivoli on NT 134running Tivoli on Unix 134shell 134summary 138wcrtprfmgr 10wocpresource 128wocprole 100wocpuser 82

commands (continued)wocrtresource 115wocrtrole 92wocrtuser 57wodelresource 131wodelrole 103wodeluser 85wogetresource 39wogetuser 39wolsresources 39wolsroles 39wolsusers 39womvresource 130womvrole 102womvuser 84wopoproles 39wopopusers 39wosetresource 117wosetresources 126wosetrole 98wosetuser 73wosetusers 80

comparison operator listresources 119roles 104users 75

concurrent sessions 113CPU

session time 113

Ddata blocks read

per call 113per session 113

default policiesdefault type None 21


Ind

ex

default policies (continued)default value 20defined 3defining attributes 18editing 19

enabling subscribers 21preventing subscribers 21

for profiles 18overview 17

default typeconstant 21, 28none 21, 28regular expression 28script 21, 28selecting 21use with validation policy 28

default valuesclearing for resources 114clearing for roles 92clearing for users 58setting for resources 114setting for roles 92setting for users 58

deletecommand for objects 66profile 51profile records 38resources 130users 84without cascade 85

distributing profilesdefined 3notifications 49overwrite modifications 43repeating job 48scheduling 47setting defaults 46setting restrictions 49

Eedit script body 30elapsed time 113

environmentTivoli variables 134

Ggrant

object privileges 68Oracle privileges 59, 94roles to users 59system privileges 61

grant command 66grantor’s profile 66

Iidle time 113inactive time 113INIT.ORA parameter 56

Mmanaged resource types

adding or removing using CLI 8adding or removing using desktop 6available resources 7default policy 6OracleResourceManager 6OracleRoleManager 5selecting multiple 7setting up 5

Oobject privileges

column name 70functions available 66grantee 68

194 Version 2.0

object privileges (continued)granting all 68granting on specific columns 69object name 68removing 70revoking and changing 70schema name 68setting 66viewing granted 71

OS authentication 56overwrite profiles 38

Ppassword

adding to role 92adding to user 56authentication 92OS authentication 56user to control 57

policiesdefault 17default types 21defining default attributes 18defining validation 26editing 19

enabling subscribers 21preventing subscribers 21

for profiles 18overview 17

policy-based management 2policy regions

managed resource types 5overview 2setting up profiles 5

populate profilesusing desktop 36

post Tivoli notice option 49private SGA 113private space 113privileges

granting system to roles 96granting system to users 61object 66

profile managercreating using CLI 10creating using desktop 9defined 3icons 13naming 9overview 8

profilescreating using desktop 11defined 2deleting using CLI 51deleting using desktop 51distributing 41in policy region 11invalid entry 32limits 11managing 35naming 12populating 36preventing duplicates 38protected during population 38protecting from population 38relabeling 35resources 11role 11setting up 5types 8user 11validating using desktop 33

Rremove

Seedelete 130resource attributes

setting limits 113resources

adding using CLI 115adding using desktop 109attribute buttons 124copy source 127copy target 127copying using CLI 128copying using desktop 126


Ind

ex

resources (continued)defined 1deleting using CLI 131deleting using desktop 130editing multiple 123editing multiple using CLI 126editing multiple using desktop 118editing selected 123editing using CLI 117editing using desktop 116icon 110idle time 113managing 109moving using CLI 130moving using desktop 128naming 112private SGA 113profile 110search value 119sessions per user 113setting and clearing defaults 114setting attributes 112sorting 121

revoking object privileges 70roles

adding using CLI 92adding using desktop 87allow granting 95copy source 99copy target 100copying using CLI 100copying using desktop 99defined 1defining default roles 95deleting using CLI 103deleting using desktop 102editing using CLI 98grant privilege to others 97granting roles to roles 94icon 89naming 91password 92profiles 88removing or changing 95search value 104sorting 106

Sschedule

distribution 47naming job 49

schema namecommand syntax 153object privilege 23user object 66

script arguments 24script default type

edit script arguments 24, 29search types

contains 75exact match 75greater than 75less than 75

sessionsconnect time 113logical reads per 113

setdefault values for resources 114default values for roles 92default values for users 58subscriptions 15tablespaces 58

Setting Object Privileges 66Setting Other Role Parameters 92shell 134sort

ascending 121by attribute 78, 107, 122descending 121

subscribersadding 13available 14

syntaxTivoi Manager for Oracle 133Tivoli command 137Tivoli Management Framework 133

system privilegesadd to role 96add to user 62granting 96remove from role 96remove from user 62

196 Version 2.0

Ttablespace

adding to list 85removing from list 86

tablespace quotasadding 63removing 65

Tivoli command syntax 137Tivoli environment

setting up on UNIX 135setting up on Windows NT 136setting variables 136

Tivoli Management Region 2, 134TMR

see Tivoli Management Region 134

Uupdate user profiles message 131user management

overview 1users

access grantor’s profile 66adding tablespace quotas 63adding using desktop 53allow granting 61attribute buttons 79clearing default values 58copy target 81copying source 81copying using CLI 82copying using desktop 80creating 53defined 1defining default roles 61deleting objects 85deleting using CLI 85deleting using desktop 84deleting with or without cascade 85editing multiple attributes 79editing multiple with CLI 80editing single attribute 79editing using desktop 72

users (continued)grant privilege to others 63granting privilege on specific column 69granting roles 59granting system privileges 61icon 54limit tablesize 65managing 53modify attribute 75moving using CLI 84moving using desktop 82naming 56object privilege object name 68object privilege removing column 70object privilege schema name 68password 56removing or changing 60resource profile 57revoking or changing object privilege 70search value 75setting default values 58setting tablespace list 85setting tablespaces 57sort by attribute 78sorting 77

Vvalidation errors 33validation policies

defined 3defining 26editing 26

Wwocpresource command 128wocprole command 100wocpuser command 82wocrtrole command 92wocrtuser command 57


Ind

ex

wodelresource command 131wodelrole command 103wodeluser command 85wogetresource command 39wogetrole command 39wogetuser command 39wolsresources command 39wolsusers command 39womvresource command 130womvrole command 102womvuser command 84wopoproles command 39wopopusers command 39wosetresource command 117wosetresources command 126wosetrole command 98wosetuser command 73wosetusers command 80

198 Version 2.0

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

GC31-5113-02