List of required database permissions

The following sections discuss the database permissions that are required on the TrueSight Server Automation database:

Oracle database permissions

The following table lists the various Oracle database permissions that are required by the BLADELOGIC user account for specific TrueSight Server Automation tasks, such as database schema creation, upgrade, and offline database cleanup. The table also lists alternatives to granting the permissions, if available.

As an alternative to granting these permissions manually, TrueSight Server Automation contains a script that you can use to grant the full set of permissions at once.

Steps for running the script to grant database permissions...
  1. Obtain the most recent version of TSSA2002-<patchversion>-<operating_system>.zip (for example, TSSA2002-P1-LIN64.zip) and extract its contents. For a description of this file, see Downloading-the-installation-files.

  2. Using the files extracted from the zip file, copy the /db_scripts/oracle/upgrade directory into a directory on your Application Server.

    Note

    BMC recommends using a directory that is at or close to the root of a disk drive. This practice avoids excessively long paths. Windows paths are limited to 255 characters.

  3. The Oracle DBA must perform the following steps:
    1. Copy /db_scripts/oracle/upgrade/migration_setup_OM.sql, which you extracted from the zip file, to a location where you have access to SQL*Plus.

    2. Log on to SQL*Plus as sysdba.

      Warning

      You must log on as sysdba to run the migration_setup_OM.sql script in the next step.

      Note

      If your installation has chosen a schema owner for the core TrueSight Server Automation database other than the default schema owner BLADELOGIC, you must modify the migration_setup_OM.sql script run in the next step to use the schema owner user name for your installation. After the data migration has completed, the schema owner can have its additional migration roles and permissions returned to their normal state.

    3. Set the TrueSight Server Automation user's roles and permissions required for running the offline database cleanup by entering the following command:

      start migration_setup_OM.sql

Important

Before installing TrueSight Server Automation, make sure that you grant these permissions to the Oracle database user.

Privilege

Used during

Why it is used

Alternative method

Grant the following individual privileges :

CREATE TRIGGER

CREATE SEQUENCE

CREATE TYPE

CREATE PROCEDURE

CREATE CLUSTER

CREATE OPERATOR

CREATE INDEXTYPE

CREATE TABLE


GRANT RESOURCE permissions (This is not required for TrueSight Server Automation 8.9.03.001 and later.)

Schema creation and cleanup

Upgrade process

Required to create tables and procedures in the schema. Initial schema creation, and parts of the schema cleanup will fail without this privilege.

None

GRANT CONNECT TO BLADELOGIC

 

Connections to the database

Product usage

Migration

All utilities

To allow the TrueSight Server Automation user to connect to the TrueSight Server Automation database; to be able to perform any action on the database.

None.

GRANT CREATE VIEW TO BLADELOGIC

 

Install

Upgrade process

During Install and upgrade, new views are created on the database supporting new code. To create a view, this privilege is required.

None.

GRANT EXECUTE ON DBMS_LOB TO BLADELOGIC

Migration

DB Diagnostic utility

Used for migration procedures that are created for the DB Diagnostic utility, which uses CLOB datatypes and DBMS_LOB package calls.

Also used while running the DB Diagnostic utility, calls are made to procedures which use DBMS_LOB package functions.

None.

GRANT EXECUTE ON DBMS_LOCK TO BLADELOGIC

Upgrade process

Running ETL

Required for:

Upgrading or migrating the TrueSight Server Automation database

Carrying out a handshake between TrueSight Server Automation database and the TrueSight Smart Reporting for Server Automation, extract, transform, and load (ETL) during database clean up.

None.

GRANT UNLIMITED TABLESPACE TO BLADELOGIC

Application usage

Required to have enough space to complete database operations

If your company policy does not allow you to grant the UNLIMITED TABLESPACE privilege to BLADELOGIC, revoke the UNLIMITED TABLESPACE privilege and provide the following granular privilege on the relevant tabelspaces 
(BLADELOGIC and BLADELOGIC_INDEX) instead:
alter user <Username> quota unlimited on <Tablespace>

GRANT EXECUTE ON DBMS_SQL TO BLADELOGIC

Upgrade process

The call creates triggers on one of the underlying tables.

Once the triggers are created (as part of upgrade/migration), the permission can be revoked. 

None.

You can grant the privilege before upgrade and then revoke after upgrade.

GRANT SELECT ANY DICTIONARY TO BLADELOGIC

Upgrade of
DB Diagnostics

Both DB Migration and DB Diagnostics access the following dictionary table and views during the run:

Table: DBA_USERS

Views:

  • V$SESSION
  • V$PARAMETER
  • V$PROCESS

None.

You can grant the privilege before upgrade and revoke after upgrade. 

You can grant the privilege before running DB Diagnostics and revoke after the run.

The way the utilities use the privilege is by checking for the actual existence of the privilege, therefore breaking up the privilege is not possible.

GRANT EXECUTE ON DBMS_SCHEDULER TO BLADELOGIC

Upgrade process

This is used to generate DBM offline jobs.


GRANT EXECUTE ON DBMS_XMLGEN TO BLADELOGIC

Upgrade process

This is used in Live Reporting to generate reports.


Note

In addition to the Oracle database permissions mentioned above, two more permissions have been added to migration_setup_OM.sql in versions 8.9 SP1 and later. The two additional permissions are:

  • GRANT EXECUTE ON DBMS_SCHEDULER TO BLADELOGIC
  • GRANT EXECUTE ON DBMS_XMLGEN TO BLADELOGIC

For offline database cleanup, the Oracle DBA must ensure that the BladeLogic database user has the appropriate permissions to run the Offline Cleanup. The database user is required to have the following additional permissions for Oracle database:


    • Create Job
      Syntax: GRANT CREATE JOB TO <tssa schema user>
    • Create External Job
      Syntax: GRANT CREATE EXTERNAL JOB TO <tssa schema user>
    • Execute on DBMS scheduler
      Syntax: GRANT EXECUTE ON DBMS_SCHEDULER TO <tssa schema user>

SQL Server database permissions

The bladelogic user account that you set up for a SQL Server database used by TrueSight Server Automation must be granted access to the dbo schema and membership to the db_owner role for the TrueSight Server Automation database. For more about setting up this user account, see Setting-up-a-SQL-Server-database-and-user-for-TrueSight-Server-Automation and Walkthrough: Setting up a SQL Server database.

These permissions enable proper communication between the Application Server and the database, so that routine database tasks can be performed successfully (for example: creating tables, truncating tables, creating views, and inserting new data). In addition, these permissions are used to enable functions during database cleanup and to enable the necessary handshake between TrueSight Server Automation database and the TrueSight Smart Reporting for Server Automation ETL during database clean up.

For offline database cleanup, the database user is required to have the following additional permission for SQL Server:

The database user should have sysadmin role. Syntax: EXEC master..sp_addsrvrolemember @loginame = <tssa db user>, @rolename = 'sysadmin'

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*