000034839 - How to create an alternate database user for AVUSER and SYS to perform admin taks or troubleshooting in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Feb 24, 2017Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034839
Applies ToRSA Product Set: Identity Governance and Lifecycle
 
IssueAVUSER and SYS database users are used by RSA Governance and Lifecycle to connect to the Oracle database and are used to perform administrative tasks and troubleshooting.
Changing the database AVUSER and SYS user passwords requires additional steps (including encrypting the password) and application restart.
If you have a password policy that requires frequent changes to the password as recommended, you may not want to have to change AVUSER and SYS users, but use alternate users to perform admin tasks and troubleshooting. 
This solution provides the steps to create an alternate database user for AVUSER and SYS to perform admin task or troubleshooting in Identity Governance and Lifecycle.
 
Tasks

SYS Alternatives


An alternative to using SYS user is possible by simply granting the DBA role to the user. An alternative only applicable with SQL*Plus is by using OS authentication, by adding a Linux user into the dba group.  Doing this would allow that user to connect to the instance as sysdba by executing the command: 
sqlplus /as sysdba .This would eliminate the need to create the extra Oracle account and just allow existing Linux users to get into the instance as SYS without the password. However, this approach is not going to work for remote administration. 

 

AVUSER Alternatives


An alternative to AVUSER is possible by granting SELECT ANY TABLE privilege to the new user from SYS. It will give that Oracle user the ability to access any table in the database in read-only mode. Such a user’s password can then be managed independently from AVUSER. 
Note that granting the new user the existing ACMPROFILE will not help. The concept of Oracle Profile is about limiting resources and not access. For example, we set ACMPROFILE for AVUSER’s password to never expire. So the customer should create their own (probably new) Oracle Profile with password expiration set to the desired period and assign the profile to the user that is allowed to read AVUSER’s objects.
See the screen shots below to see the values for ACMPROFILE as they come out of the box:

 
User-added image
Resolution

To create alternate to SYS user


  1. Login as sysdba
$ sqlplus "/as sysdba"

  1. Execute the following commands to create and grant DBA role to the new user:
CREATE USER <NewUser> IDENTIFIED BY <password>;
GRANT DBA TO <NewUser>;


To create alternate to AVUSER user


  1. Login as sysdba
$ sqlplus "/as sysdba"

  1. Execute the following commands to create and grant DBA role to the new user:
CREATE USER <NewUser> IDENTIFIED BY <password>;
GRANT SELECT ANY TABLE TO <NewUser>;

Attachments

    Outcomes