- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Resticting VMS access to DBAs ?
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2006 10:38 AM
тАО02-12-2006 10:38 AM
We run VMS 7.3-2 with RDB V7.1-401
Most objects can be ACLed. However the DBAs claims they need to use SDA to analyse locks. How can one counter this argument or provide limited access to SDA or provide SDA access using an ACL ? We feel the RMU utilites provide all the Lock analysis tools required.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2006 01:14 PM
тАО02-12-2006 01:14 PM
Re: Resticting VMS access to DBAs ?
You can make a copy of SDA.EXE, put an ACE on it granting EXECUTE access to the DBAs, and INSTALL the copy with CMKRNL privilege. They can then analyse locks without having to have CMKRNL. However, they can also do all the other things SDA comes with, but it's all read only.
You may be able to block access to some of the SDA extensions by putting NOACCESS ACEs on the shareable images (see SYS$SHARE:*$SDA)
Log a case if you need more detail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-13-2006 11:17 AM
тАО02-13-2006 11:17 AM
Re: Resticting VMS access to DBAs ?
with privs to complete. SDA$SHARE has been linked with traceback. Installation fails. I will log a call.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-13-2006 11:48 AM
тАО02-13-2006 11:48 AM
Solution>Need to also install sys$library:SDA$SHARE.EXE
>with privs to complete.
Repeat after me... There is NO SUCH THING as a privileged shareable image! ;-)
What's happening is the activation of the privileged image puts the image activator into "paranoia" mode, which means it will only activate "trusted" images. That means only /SYSTEM/EXEC logical names will be followed, and the target image must be installed. No need for any INSTALL attributes:
$ INSTALL ADD SYS$SHARE:SDA$SHARE
will suffice, but if it's going to be installed, you may as well tack on /OPEN/HEAD/SHARE. This can be done with a traceback image, so it will work.
Added bonus? Only SDA extensions which are INSTALLed can be activated, so you don't need to ACL them, just install any that you want your DBAs to be able to run.
Here's what I did:
$ SET DEF SYS$COMMON:[SYSEXE]
$ COPY SDA.EXE SDAPRIV.EXE
$ SET SECURITY/ACL=(-
(IDENT=DBA_SDA_ALLOW,ACCESS=R+E),-
(IDENT*,ACCESS=NONE)) SDAPRIV.EXE
$ INSTALL ADD SDAPRIV/OPEN/HEAD/SHARE/PRIV=CMK
$ INSTALL ADD SYS$SHARE:SDA$SHARE/OPEN/HEAD/SHARE
Now, for anyone you want to run the privileged image:
$ DEFINE SDA SDAPRIV
Note that this logical name does not need to be trusted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-13-2006 10:59 PM
тАО02-13-2006 10:59 PM
Re: Resticting VMS access to DBAs ?
Also check the Database supplier startup and shutdown procedures.
While there is often little reason, some of the startup/shutdown scripts contain presumptions of privilege.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2006 06:44 PM
тАО02-18-2006 06:44 PM
Re: Resticting VMS access to DBAs ?
It is my firm belief that there are two paths to choose from: -
1) Give the DBAs all the privs in the world so that they can get the job done when the operators call at 2am describing the contents of an RMU bugcheck dump on a corrupt database.
2) Install some Knowledge Base software where every conceivable problem has a matching "Solution Document" that can be seemlessly tied to the Utility that needs executing with all of the appropriate privileges for the job. And just any flying pig will be qualified to push the right button.
I respectfully submit that unless you are an accountant hell-bent on deskilling your workforce to such a level that it can be outsourced to Bangalore (or anywhere else)you will choose option one. If you have staffing issues then take on more reliable DBA support (Preferably in Perth where the 3hr time difference is so useful to the support window :-)
Why stop at DBAs? Why do System Managers have privs? It's not like they're installing VMS every day. Let's metric what they do during the day and Install a utility for every action they prform that needs privileges? Have you ever noticed how close their eyes are together? Or that they're always whispering?
Cheers Richard
PS. Security should be more worried about who has access to client sensitive data rather policing the police. I've yet to find an equivalent of the UK's data protection act here in Oz. (Apart from the ubiquitous "Check out our privacy document on our website")
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2006 01:27 AM
тАО02-19-2006 01:27 AM
Re: Resticting VMS access to DBAs ?
I have to agree with the what John suggested. Make a copy of the SDA image and set the ACL on it. Then install it with CMKL and it will work fine. I have done this on different images to prevent users from doing very bad things.
Mr. Maher, I am not sure which knowledge base software you would use to do something like this. I have in the past setup problem tracking systems that allowed the knowledge database to grow with the problems reported. It would even generate a new FAQ each week with the most commonly asked questions and post it to the web-site automatically. (That one was a home-grown system written on a MS Windows based system). As for system security, as Thomas mentioned, his systems hold data from a number of client companies so the "brickwall" type of security between the different companies data is crucial to their maintaining the client base. At least that is what I would think, but Thoams would be the better one to answer that one. Your suggestion of limiting system managers is a good idea. You create one account used for VMS upgrades/installs (oh lat's call that account SYSTEM) and create seperate accounts for your system managers that are limited as to what their specific tasks are. I agree with your suggestion of outsourcing to Perth because that would bring jobs to Australia. The three hour time diffence would'nt matter to me if I had a 24x7 helpdesk in the US. The only potential advantage to outsourcing to Perth would be cost of personel and if I was going to outsource to save money I am pretty sure that Bangalore is much cheaper than Perth. So my choice would be for Bangalore, IF I were to suggest outsourcing at all, because of cost savings. Basically, the positives and negatives of outsorucing is all relative to where you are living. For you, if a company is located in Australia and they outsource to Perth then I think that is a good thing. If it is a US based company and they outsource to Perth then personally I think that is no better than outsourcing to India. (Execpt when I would have to go to the outsourcing site then Australia wins hands down because you have the better beer :)).
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2006 11:35 AM
тАО04-17-2006 11:35 AM
Re: Resticting VMS access to DBAs ?
Required_Privileges
An access control list (ACL) is created by default on the root
file of each Oracle Rdb database. To be able to use a particular
Oracle RMU command for the database, you must be granted
the appropriate Oracle RMU privilege for that command in the
database's root file ACL. For some Oracle RMU commands, you must
have one or more OpenVMS privileges as well as the appropriate
Oracle RMU privilege to be able to use the command.
Has anyone had experience configuring RMU access with identifiers ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2006 06:15 PM
тАО04-17-2006 06:15 PM
Re: Resticting VMS access to DBAs ?
We use identifiers in our RMU ACLs. Nothing tricky about it, just like for VMS file acls.
In regard to the ACLs themselves, they are stored as an acl on the root file of the database. This means that you can copy them from database to database if you wish and edit them with "$ edit/acl" too.
When you look at them from DCL, the Rdb specific privileges show up as bit1+bit2 etc. When you use the RMU/SHOW PRIVILEGE command, it translates these into rmu$read+rmu$export etc.
Cheers,
chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-17-2006 06:28 PM
тАО04-17-2006 06:28 PM
Re: Resticting VMS access to DBAs ?
This is our setup
WIZ12> rmu/show priv wizard_data
Object type: file, Object name: WIZ_FOXTST_DB:[000000]WIZARD_DATA.RDB;1, on 18-APR-2006 16:14:38.30
(IDENTIFIER=[*,*],ACCESS=READ+WRITE+CONTROL+RMU$ALL)