Skip Headers
Oracle® Secure Backup Reference
Release 10.1

Part Number B14236-03
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

mkuser

Purpose

Use the mkuser command to define an Oracle Secure Backup user. Each user account belongs to exactly one class, which defines the rights of the user.

See Also:

Prerequisites

You must have the modify administrative domain's configuration right to run the mkuser command.

Usage Notes

When an Oracle Secure Backup user performs a backup or restore operation on a host with the default --unprivileged option, the host is accessed by means of an operating system identity.

If a Linux or UNIX host is backed up or restored, then Oracle Secure Backup uses the --unixname and --unixgroup values for the operating system identity.

If a Windows host is backed up or restored, then Oracle Secure Backup begins with the first domain triplet in the list—skipping any with a wildcard (*) for the domain name—and checks whether the domain and username allows access to the host.

Note:

Oracle Secure Backup uses the LookupAccountName system call to determine whether access is allowed. No attempt at logging on actually occurs during the check, nor is there any attempt to enumerate all the valid Windows domains.

If access is allowed, then Oracle Secure Backup uses this logon information to run the job. If not, then Oracle Secure Backup proceeds to the next domain triplet in the list. If Oracle Secure Backup does not find a triplet that allows access to the host, it performs a final check to see whether a triplet exists with a wildcard (*) as the domain name.

Syntax

mkuser::=

mku•ser --class/-c userclass
[ --password/-p password | --querypassword/-q ]
[ --unixname/-U unix-user ] [ --unixgroup/-G unix-group ]
[ --domain/-d { windows-domain | * },windows-account[,windows-password ] ]...
[ --ndmpuser/-N { yes | no }  ]
[ --email/-e emailaddr ] [ --givenname/-g givenname ]
[ --preauth/-h preauth-spec[,preauth-spec]... ]
username

Semantics

--class/-c userclass

Specifies the name of the class to which the user should belong. Table B-1, "Classes and Rights" describes the predefined classes and rights.

--password/-p password

Specifies a password for the Oracle Secure Backup user when logging in to an administrative domain. The maximum character length that you can enter is 16 characters. If you do not specify a password, then the password is null.

--querypassword/-q

Specifies that you should be prompted for the password, which is not echoed.

--unixname/-U unix-user

Specifies a user name for a Linux or UNIX host. The default user name is the first defined of guest, nobody, none, and user.

--unixgroup/-G unix-group

Specifies a group for a Linux or UNIX host. The default is none.

--domain/-d { windows-domain | * },windows-account[,windows-password]

Specifies a Windows domain name, user account, and password. If you do not enter the Windows password, then obtool prompts you for it. For windows-domain, enter an asterisk (*) if the windows-account and windows-password apply to all Windows domains. The --domain option has no default value.

The Windows user account must have access to the following privileges so that obtar can run:

  • SeBackupPrivilege

    User right: Back up files and directories

  • SeRestorePrivilege

    User Right: Restore files and directories

  • SeChangeNotifyPrivilege

    User right: Bypass traverse checking

You must grant the preceding privileges to the user account when it is created or grant them afterward.

--ndmpuser/-N { yes | no }

Indicates whether the user is permitted to log in to an NDMP server. Specify yes if you want to enable the user to access an NDMP server and no if you do not. The default is no. This login is achieved by means of an external client program.

--email/-e emailaddr

Specifies the email address for the user. When Oracle Secure Backup wants to communicate with this user, such as to deliver a job summary or notify the user of a pending input request, it sends email to this address.

--givenname/-g givenname

Specifies the given name of the user if different from the user name, for example, "Jim W. Smith" for user name jsmith.

--preauth/-h preauth-spec[,preauth-spec]... ]

Grants the specified operating system user preauthorized access to the administrative domain as the Oracle Secure Backup user. By default there is no preauthorization.

A preauthorization dictates how an operating system user can be automatically logged in to Oracle Secure Backup. Access is authorized only for the specified operating system user on the specified host. For each host within an Oracle Secure Backup administrative domain, you can declare one or more one-to-one mappings between operating system and Oracle Secure Backup user identities. For example, you can create a preauthorization so that UNIX user lashdown is automatically logged in to obtool as user admin.

Refer to "preauth-spec" for a description of the preauth-spec placeholder. Duplicate preauthorizations are not permitted. Preauthorizations are considered to be duplicates if they have the same hostname, user ID, and domain.

username

Specifies a name for the Oracle Secure Backup user. User names are case-sensitive and must start with an alphanumeric character. They can contain only letters, numerals, dashes, underscores, and periods (no spaces). They may contain at most 127 characters.

The user name must be unique among all Oracle Secure Backup user names. Formally, it is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain.

Example

Example 2-97 creates an administrative Oracle Secure Backup user named janedoe. This user runs unprivileged backup and restore operations on Linux and UNIX hosts under the jdoe operating system account. Because no Windows domains are specified, this user is not permitted to run backup or restore operations on Windows hosts. The jdoe operating system user is preauthorized to make RMAN backups on host stadv07.

Example 2-97 Creating an Oracle Secure Backup User

ob> lsuser
admin            admin
sbt              admin
tadmin           admin
ob> mkuser janedoe --class admin --password "x45y" --givenname "jane" --unixname
jdoe --unixgroup "dba" --preauth stadv07:jdoe+rman+cmdline --ndmpuser no
--email jane.doe@business.com
ob> lsuser
admin            admin
janedoe          admin
sbt              admin
tadmin           admin