2009-10-15 04:39 PM - edited 2015-12-18 01:38 AM
Regarding to “Clone DB” feature in SMO, one of my customer was very impressed but they do have concern about security.
They would like to know do we have RBAC on SnapManager (especially DB –> SMO & SMSQL) in order to control only application admin can clone the DB instead of storage admin.
As far as I knew we don’t have those in SMSQL right now, but not sure about SMO.
As I know that we do have RBAC on SnapDrive 6.1, if I configure at SnapDrive level, what will happen when I start a clone inside SnapManager?
Any input is appreciate!!
2009-10-15 04:48 PM
This is neto from Brazil
How are you?
You could use RBAC using SDU with Operations Manager integration.
Could you please give me an example what your customer would like to do?
All the best
2009-10-15 08:35 PM
They would like to have some job delegation inside SnapManager.
That's means customer want is to have a "storage admin" & "app admin" account in Snapmanager for Oracle/SMSQL;
"storage admin" can only perform backup & restore DB and only "app admin" can able to clone DB.
We have not this kind of delegation right now, just thinking of using SnapDrive RBAC for function restriction.
But don't know what will happen if I restrict a specific user have no rights to clone in SnapDrive (edit the xml), when this user account login SMO console & start clone, will SMO/SMSQL aware of it?
In which I don't want to see is the job stop at specific point with bunch of error!!!
2009-10-16 10:15 AM
SnapManager for Oracle (SMO) provides RBAC via SDU which integrates with Operations Manager. Currently the way the integration works in SMO is that RBAC is only checked for, while a specific operation is running and not before submitting the operation. So in your case if the storage admin for whom you have revoked clone privs tries to clone, then the clone operation will error out while it is running.