List of required database permissions

The following sections discuss the database permissions that are required on the BMC Server Automation database:

Oracle database permissions

The following table lists the various Oracle database permissions that are required by the BLADELOGIC user account for specific BMC Server Automation tasks, such as database schema creation, upgrade, and offline database cleanup. The table also lists alternatives to granting the permissions, if available.

Note

As an alternative to granting these permissions manually, BMC Server Automation provides you with a script that you can use to grant the full set of permissions all at once.

  Click to expand the steps for running the script for granting database permissions...
  1. Obtain the most recent version of BSA89-<servicepackversion>-<operating_system>.zip (for example, BSA89-SP2-LIN64.zip) and extract its contents. For a description of this file, see Downloading the installation files.
  2. Using the files extracted from the zip file, copy the /db_scripts/oracle/upgrade directory into a directory on your Application Server.

    Note

    BMC recommends using a directory that is at or close to the root of a disk drive. This practice avoids excessively long paths. Windows paths are limited to 255 characters.

  3. The Oracle DBA must perform the following steps:
    1. Copy /db_scripts/oracle/upgrade/migration_setup_OM.sql, which you extracted from the zip file, to a location where you have access to SQL*Plus.
    2. Log on to SQL*Plus as sysdba.

      Warning

      You must log on as sysdba to run the migration_setup_OM.sql script in the next step.

      Note

      If your installation has chosen a schema owner for the core BMC Server Automation database other than the default schema owner BLADELOGIC, you must modify the migration_setup_OM.sql script run in the next step to use the schema owner user name for your installation. After the data migration has completed, the schema owner can have its additional migration roles and permissions returned to their normal state.

    3. Set the BMC Server Automation user's roles and permissions required for running the offline database cleanup by entering the following command:

      start migration_setup_OM.sql
Privilege Used during Why it is used Alternative method
GRANT RESOURCE TO BLADELOGIC

Schema creation and cleanup

Upgrade process

Required to create tables and procedures in the schema. Initial schema creation, and parts of the schema cleanup will fail without this privilege.

If your company policy does not allow you to grant the RESOURCE privilege to BLADELOGIC, revoke the RESOURCE privilege and provide the following granular privileges instead:

CREATE TRIGGER

CREATE SEQUENCE

CREATE TYPE

CREATE PROCEDURE

CREATE CLUSTER

CREATE OPERATOR

CREATE INDEXTYPE

CREATE TABLE

GRANT CONNECT TO BLADELOGIC

Connections to the database

Product usage

Migration

All utilities

To allow the BLADELOGIC user to connect to the BLADELOGIC database; to be able to perform any action on the database. None.

GRANT CREATE VIEW TO BLADELOGIC

Install

Upgrade process

During Install and upgrade, new views are created on the database supporting new code. To create a view, this privilege is required. None.
GRANT EXECUTE ON DBMS_LOB TO BLADELOGIC

Migration

DB Diagnostic utility

Used for migration procedures that are created for the DB Diagnostic utility, which uses CLOB datatypes and DBMS_LOB package calls.

Also used while running the DB Diagnostic utility, calls are made to procedures which use DBMS_LOB package functions.

None.
GRANT EXECUTE ON DBMS_LOCK TO BLADELOGIC

Upgrade process

Running ETL

Required for:

Upgrading or migrating the BMC Server Automation database

Carrying out a handshake between BMC Server Automation database and the BMC BladeLogic Decision Support for Server Automation extract, transform, and load (ETL) during database clean up.

None.

GRANT UNLIMITED TABLESPACE TO BLADELOGIC Application usage Required to have enough space to complete database operations

If your company policy does not allow you to grant the UNLIMITED TABLESPACE privilege to BLADELOGIC, revoke the UNLIMITED TABLESPACE privilege and provide the following granular privilege on the relevant tabelspaces 
(BLADELOGIC and BLADELOGIC_INDEX) instead:
alter user <Username> quota unlimited on <Tablespace>

GRANT EXECUTE ON DBMS_SQL TO BLADELOGIC Upgrade process

The call creates triggers on one of the underlying tables.

Once the triggers are created (as part of upgrade/migration), the permission can be revoked. 

None.

You can grant the privilege before upgrade and then revoke after upgrade.

GRANT SELECT ANY DICTIONARY TO BLADELOGIC

Upgrade of
DB Diagnostics

Both DB Migration and DB Diagnostics access the following dictionary table and views during the run:

Table: DBA_USERS

Views:

  • V$SESSION
  • V$PARAMETER
  • V$PROCESS

None.

You can grant the privilege before upgrade and revoke after upgrade. 

You can grant the privilege before running DB Diagnostics and revoke after the run.

The way the utilities use the privilege is by checking for the actual existence of the privilege, therefore breaking up the privilege is not possible.

GRANT EXECUTE ON DBMS_SCHEDULER TO BLADELOGIC

Upgrade process This is used to generate DBM offline jobs.

GRANT EXECUTE ON DBMS_XMLGEN TO BLADELOGIC

Upgrade process This is used in Live Reporting to generate reports.

SQL Server database permissions

The bladelogic user account that you set up for a SQL Server database used by BMC Server Automation must be granted access to the dbo schema and membership to the db_owner role for the BladeLogic database. For more about setting up this user account, see Setting up a SQL Server database and user for BMC Server Automation and Walkthrough: Setting up a SQL Server database.

These permissions enable proper communication between the Application Server and the database, so that routine database tasks can be performed successfully (for example: creating tables, truncating tables, creating views, and inserting new data). In addition, these permissions are used to enable functions during database cleanup and to enable the necessary handshake between BMC Server Automation database and the BMC BladeLogic Decision Support for Server Automation ETL during database clean up.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Drew Trachy

    Does the bladelogic account require the DBMS_METADATA privilege on Oracle installations? If so, could you get it listed here? Are any other privileges required that aren't listed?

    Apr 19, 2016 01:39
    1. Moiz Nalwalla

      Sure Drew, I'll work on getting you this information and adding it to the docs if required.

      Apr 19, 2016 01:45
    1. Moiz Nalwalla

      Hi Drew,

      No we do not need DBMS_METADATA. We only require the privileges that are documented on this page.

      Is there a particular reason you have the query for DBMS_METADATA privilege?

      Apr 20, 2016 07:21