One of the questions we see being asked reasonably frequently is how to allow read only access to someone who wants to view database performance issues, using tools such as Real Time ADDM, ASH Analytics and so on. This is generally asked for someone like an application developer, who can use this information to identify performance issues in Production and then fix the root cause in their Development environments.
Well, that’s a reasonable question to ask, and indeed if you search the internet you can find different ways of doing something like this. For EM12c, one of the best write-ups I’ve seen done on this was of course by one of my colleagues, Courtney Llamas. That write-up is available here.
So much for EM12c – what about EM13c? Well, you’ll be happy to know it’s even easier in EM13c, because that release introduced new functionality in the database plugin to deal with this exact issue. The functionality is called “Flexible Database Access Control”. This provides a privilege control model for database pages in Enterprise Manager Cloud Control 13c, allowing you to create different roles with specific privileges for different levels of database access such as:
- Application DBA Access
- Application Developer Access
- Database Monitoring User Access
- Database Administrator Access
So what exactly would these different roles do? You can see them defined in the documentation as:
- Application DBA – An application DBA is a restricted database administrator who manages application schemas, application objects, and application performance in the database. An application DBA should be able to find and fix application performance issues in the database. An application DBA is responsible for keeping the application up and running and in good performance.
- Application Developer – An application developer is a person who develops an application. Application developers capture requirements from customers and develop the application according to customer requirements. Application developers use Oracle Enterprise Manager to tune SQL in their application modules for optimal performance in production environments. Application developers are responsible for the modules of the application in development, test, and production environments.
- Database Monitoring User – The database monitoring user monitors the database for smooth functioning of the application in production environments. Monitoring users respond to alerts raised in the Enterprise Manager environment. Monitoring users can update the schedule of metrics and setup blackouts on the databases. Monitoring users are not allowed to make any changes to the production database. Monitoring users ensure that the application is up and running by responding to any issues reported and ensuring that the issues are assigned to the DBAs responsible for resolution.
- Database Administrator – Database administrators performs full database lifecycle management including installation configuration, monitoring, backup, recovery, and performance tuning.
One of the neat things about Flexible Database Access Control is that it not only solves the issue we started talking about (setting up read only access for performance issues), but it also provides a way of implementing higher levels of security at the same time – twice the bang for your buck! For all the details on how to set these roles up and grant them to relevant users in EM13c, have a look at section 4.1 of the Enterprise Manager Cloud Control Security Guide.
Hope you find this short tip useful!