cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Oracle database inventory with non OS user

Hi,

we usually execute the zero footprint inventory for Oracle DB using the same user that connects to the target in ssh. So if the user is user1, user1 have sqlplus sudo privileges and a grant select on the list of tables and views as described in the documentation.

Now I have some customer servers where it is needed to be used a user2 to connect to the DB for some security policies.

How that can be done with flexera?

Thanks

(8) Replies
ChrisG
By Community Manager Community Manager
Community Manager
I think the description here may be confusing different user accounts. There are different steps involved on UNIX-like computers:

First of all, the "zero footprint" (remote execution) process will make an SSH connection to the target device. This is using credentials stored in the Password Store on the beacon. I imagine that this is the "user1" referred to in your description.

Once connected, sudo is used to invoke the ndtrack (inventory gathering) process as root.

The inventory gathering process identifies a running Oracle Database "smon" process, and impersonates the user of that process to connect to the database.

When using zero footprint inventory gathering, there is no way to directly control the user account that is used to connect to the database. However if the Oracle Database "smon" process is running as "user1" or "user2", that account is what will be used to invoke sqlplus to connect to the database.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thanks Chris,

user1 is like you told.

this process was not clear to us, we were always told that user1 was responsible to perform the queries. Thanks for clarifying.

So we have no need of user2? (user 2 would a user of the db able to perform queries on table described in Appendix C of document FNMSSystemReference.

Right - from the description of your particular scenario and approach to gathering inventory, I don't think you need a "user2" as long as "user1" has access to login to the target server via SSH and execute sudo.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thanks Chris!

do you have a link to a full documentation? I'd like to go deeply in it

You can find documentation by clicking on the "Other Resources > Documentation" link in Flexera Community. Select your product ("FlexNet Manager Suite Cloud" or "FlexNet Manager Suite On Premises") and version. The particular guide that is likely most relevant to you here is the "FlexNet Manager Suite System Reference<>" - see the "Oracle Discovery and Inventory" chapter in there.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)

Thanks Chris, that is exactly the document I'm reading. So I'm not able to understand the value of the information in Appendix C of that document, that I was mentioning in my previous reply. Do you have any direction on that? I see there istruction to have a user in Oracle with granted select on a list of tables. But I cannot tell when this need to be applied.

Thanks for your support

The information about access rights to particular tables is most commonly relevant when you use the functionality in the beacon to connect directly to Oracle Databases and run queries. In that case access rights may need to be set up for the Oracle user that is configured on the beacon.

However based on the description of the approach you are taking to gather inventory, I don't believe you are using that functionality. I believe you are using the inventory agent (ndtrack) to connect to the Oracle Database. That is a different mechanism (as described earlier in this thread), and you typically don't need to set up access rights to particular tables for this. Generally using the inventory agent to gather Oracle Database inventory is a more robust approach than having a beacon attempt to connect directly to Oracle Databases, so you are on the right path.
(Did my reply solve the question? Click "ACCEPT AS SOLUTION" to help others find answers faster. Liked something? Click "KUDO". Anything expressed here is my own view and not necessarily that of my employer, Flexera.)
Thanks Chris, we are currently trying without agent with a zero foot print strategy. So there is a little bit of confusion on the steps to do. It looks not a lot of customer went through this road