List of required database permissions
The following sections discuss the database permissions that are required on the BMC Server Automation database:
Oracle database permissions
The following table lists the various Oracle database permissions that are required by the BLADELOGIC user account for specific BMC Server Automation tasks, such as database schema creation, upgrade, and offline database cleanup. The table also lists alternatives to granting the permissions, if available.
As an alternative to granting these permissions manually, BMC Server Automation provides you with a script that you can use to grant the full set of permissions all at once.
- Obtain the most recent version of BSA89-<servicepackversion>-<operating_system>.zip (for example, BSA89-SP2-LIN64.zip) and extract its contents. For a description of this file, see Downloading the installation files.
Using the files extracted from the zip file, copy the /db_scripts/oracle/upgrade directory into a directory on your Application Server.
BMC recommends using a directory that is at or close to the root of a disk drive. This practice avoids excessively long paths. Windows paths are limited to 255 characters.
- The Oracle DBA must perform the following steps:
- Copy /db_scripts/oracle/upgrade/migration_setup_OM.sql, which you extracted from the zip file, to a location where you have access to SQL*Plus.
Log on to SQL*Plus as sysdba.
You must log on as sysdba to run the migration_setup_OM.sql script in the next step.
If your installation has chosen a schema owner for the core BMC Server Automation database other than the default schema owner BLADELOGIC, you must modify the migration_setup_OM.sql script run in the next step to use the schema owner user name for your installation. After the data migration has completed, the schema owner can have its additional migration roles and permissions returned to their normal state.
Set the BMC Server Automation user's roles and permissions required for running the offline database cleanup by entering the following command:
|Privilege||Used during||Why it is used||Alternative method|
|GRANT RESOURCE TO BLADELOGIC|
Schema creation and cleanup
|Required to create tables and procedures in the schema. Initial schema creation, and parts of the schema cleanup will fail without this privilege.|
If your company policy does not allow you to grant the RESOURCE privilege to BLADELOGIC, revoke the RESOURCE privilege and provide the following granular privileges instead:
GRANT CONNECT TO BLADELOGIC
Connections to the database
|To allow the BLADELOGIC user to connect to the BLADELOGIC database; to be able to perform any action on the database.||None.|
GRANT CREATE VIEW TO BLADELOGIC
|During Install and upgrade, new views are created on the database supporting new code. To create a view, this privilege is required.||None.|
|GRANT EXECUTE ON DBMS_LOB TO BLADELOGIC|
DB Diagnostic utility
Used for migration procedures that are created for the DB Diagnostic utility, which uses CLOB datatypes and DBMS_LOB package calls.
Also used while running the DB Diagnostic utility, calls are made to procedures which use DBMS_LOB package functions.
|GRANT EXECUTE ON DBMS_LOCK TO BLADELOGIC|
Upgrading or migrating the BMC Server Automation database
Carrying out a handshake between BMC Server Automation database and the BMC BladeLogic Decision Support for Server Automation extract, transform, and load (ETL) during database clean up.
|GRANT UNLIMITED TABLESPACE TO BLADELOGIC||Application usage||Required to have enough space to complete database operations|
If your company policy does not allow you to grant the UNLIMITED TABLESPACE privilege to BLADELOGIC, revoke the UNLIMITED TABLESPACE privilege and provide the following granular privilege on the relevant tabelspaces
|GRANT EXECUTE ON DBMS_SQL TO BLADELOGIC||Upgrade process|
The call creates triggers on one of the underlying tables.
Once the triggers are created (as part of upgrade/migration), the permission can be revoked.
You can grant the privilege before upgrade and then revoke after upgrade.
|GRANT SELECT ANY DICTIONARY TO BLADELOGIC|
Both DB Migration and DB Diagnostics access the following dictionary table and views during the run:
You can grant the privilege before upgrade and revoke after upgrade.
You can grant the privilege before running DB Diagnostics and revoke after the run.
The way the utilities use the privilege is by checking for the actual existence of the privilege, therefore breaking up the privilege is not possible.
GRANT EXECUTE ON DBMS_SCHEDULER TO BLADELOGIC
|Upgrade process||This is used to generate DBM offline jobs.|
GRANT EXECUTE ON DBMS_XMLGEN TO BLADELOGIC
|Upgrade process||This is used in Live Reporting to generate reports.|
In addition to the Oracle database permissions mentioned above, two more permissions have been added to migration_setup_OM.sql in versions 8.9 SP1 and later. The two additional permissions are:
- GRANT EXECUTE ON DBMS_SCHEDULER TO BLADELOGIC
- GRANT EXECUTE ON DBMS_XMLGEN TO BLADELOGIC
SQL Server database permissions
The bladelogic user account that you set up for a SQL Server database used by BMC Server Automation must be granted access to the dbo schema and membership to the db_owner role for the BladeLogic database. For more about setting up this user account, see Setting up a SQL Server database and user for BMC Server Automation and Walkthrough: Setting up a SQL Server database.
These permissions enable proper communication between the Application Server and the database, so that routine database tasks can be performed successfully (for example: creating tables, truncating tables, creating views, and inserting new data). In addition, these permissions are used to enable functions during database cleanup and to enable the necessary handshake between BMC Server Automation database and the BMC BladeLogic Decision Support for Server Automation ETL during database clean up.