Skip to main content
Matrix42 Self-Service Help Center

Access rights for scanning Oracle Databases

How to configure access permissions

The product determines the license status of Oracle databases on the queried server systems. In addition to system information, information from the Oracle databases must also be queried. 

The product does neither read application-specific nor customer-specific data.

The query of the databases is configured out-of-the-box so that no special user has to be created in the databases to be queried in order to capture all necessary information. All running instances are recognized on the systems. After a change into the context of the process owner, the read access to the database takes place with this UID.

Alternatively, you can create a new database user or use an existing user. These database users require read-only access only.  The database user can be identical on all server systems for all Oracle databases running there. See following chapter, how to grant access to that user.

Granting Access for a specific user

Using Grant Script

The grant script MUST be called as SYSDBA (or comparable role) with the right to create users! The grant scripts must be executed once for each database instance to be queried.

The grant script is called:

@novaratio_grantscript.sql <user> <password> <tablespace> <ORACLE_SID>

The parameters when calling the grant script mean:

  •  <user> is a new username. If it already exists, the system issues a corresponding message.
  • <password> is the password with which the new user can be logged in. The password follows the general rules of the specified database policies. 
  • <tablespace> is an existing table space. If this is missing, an error message is issued and the user is not created.
  • <SID> is the ORACLE_SID of the database where the user is to be created. If it does not exist, an error message is issued and the user is not created.

For Oracle 12c with Pluggable Databases (PDB): The grant script MUST be executed in the CDB$ROOT. It automatically creates the transferred user in the CDB$ROOT as well as in all PDBs generated for the CDB.

Filing of logon data

If the data query of the server systems is executed using a specific database user, the user name and password must be stored.

This logon data must be stored by the administrator on the respective server systems in a corresponding logon data file. This file can contain several logon data, i.e. valid combinations of user name and password, and can be used identically on several server systems.

The entries in the logon data file are line-oriented with a tabulator as the separator between user name and password (comment lines are not allowed!):

User1    password1
User2    password2

Under Windows, the logon data file is expected in the following path after the installation of the agent:

%Program Files (x86)%\eRunbook\product\agent\tools\login 

For Unix/Linux, the login data file is stored under the following path after the agent installation:

/opt/eRunbook/product/agent/tools/login 

In order to use the "login" file for the system query, the setting of the "swdetection_client.conf" file must be adjusted.

On Windows this file is located at: 

windows/tools/swdetection_windows.conf

On Linux or UNIX this file is located at: 

<OS>/tools/swdetection_unix_client.conf 

This file already contains predefined entries for two Oracle DB query variants, of which only one may be active at any one time:

  1. Query with OS Authentication
  2. Query with "login" file (standard user)

[1] Standard OS Authentication

By default, the configuration file is set up for queries using OS authentication:

[OracleDB]
name=Oracle Database
vendor=Oracle Corporation
check_installation=swdetection_oracledb.sh check_installation
check_instance=swdetection_oracledb.sh check_instance NOVA_INSTALLATION_DIRECTORY
data_installation=swdetection_oracledb.sh data_installation
data_instance=swdetection_oracledb.sh data_instance NOVA_INSTANCE_NAME

##[OracleDB]
##name=Oracle Database
##vendor=Oracle Corporation
##check_installation=swdetection_oracledb.sh check_installation loginfile
##check_instance=swdetection_oracledb.sh check_instance loginfile NOVA_INSTALLATION_DIRECTORY
##data_installation=swdetection_oracledb.sh data_installation loginfile
##data_instance=swdetection_oracledb.sh data_instance loginfile NOVA_INSTANCE_NAME 

[2] User Login Authentication

In case you want to use the "login" file, the block for standard OS authentication must be set in comments (using the "##" characters) while the block for login authentication must not start with the comment characters:

##[OracleDB]
##name=Oracle Database
##vendor=Oracle Corporation
##check_installation=swdetection_oracledb.sh check_installation
##check_instance=swdetection_oracledb.sh check_instance NOVA_INSTALLATION_DIRECTORY
##data_installation=swdetection_oracledb.sh data_installation
##data_instance=swdetection_oracledb.sh data_instance NOVA_INSTANCE_NAME

[OracleDB]
name=Oracle Database
vendor=Oracle Corporation
check_installation=swdetection_oracledb.sh check_installation loginfile
check_instance=swdetection_oracledb.sh check_instance loginfile NOVA_INSTALLATION_DIRECTORY
data_installation=swdetection_oracledb.sh data_installation loginfile
data_instance=swdetection_oracledb.sh data_instance loginfile NOVA_INSTANCE_NAME