mkclass

Purpose

Use the mkclass command to define a user class.

Oracle Secure Backup predefines a number of classes, which are described in Appendix B, "Classes and Rights".

See Also:

"Class Commands" for related commands

Prerequisites

You must have the modify administrative domain's configuration right to use the mkclass command.

Syntax

mkclass::=

mkcl•ass [ --modself/-m { yes | no } ] [ --modconfig/-M { yes | no } ]
[ --backupself/-k { yes | no } ]  [ --backuppriv/-K { yes | no } ]
[ --restself/-r { yes | no } ]    [ --restpriv/-R { yes | no } ]
[ --listownjobs/-j { yes | no } ] [ --modownjobs/-J { yes | no } ]
[ --listanyjob/-y { yes | no } ]  [ --modanyjob/-Y { yes | no } ]
[ --mailinput/-i { yes | no } ]   [ --mailerrors/-e { yes | no } ]
[ --querydevs/-q { yes | no } ]   [ --managedevs/-d { yes | no } ]
[ --listconfig/-L { yes | no } ]  [ --browse/-b browserights ]
[ --orauser/-o { yes | no } ]     [ --orarights/-O oraclerights ]
classname...

Semantics

The default for all mkclass options that require a yes or no value is no.

--modself/-m { yes | no }

Enables users to modify their own password and given name.

--modconfig/-M { yes | no }

Enables users to modify (create, modify, rename, and remove) all objects in an Oracle Secure Backup administrative domain. These modifiable objects include objects representing classes, users, hosts, devices, defaults, and policies.

--backupself/-k { yes | no }

Enables users to run backups under their own user identity.

--backuppriv/-K { yes | no }

Enables users to run backups as the root or privileged user.

--restself/-r { yes | no }

Enables users to restore the contents of backup images under the restrictions of the access rights imposed by the user's UNIX name/group or Windows domain/account.

--restpriv/-R { yes | no }

Enables users to restore the contents of backup images as a privileged user. On Linux and UNIX hosts, a privileged restore operation runs under the root operating system identity. For example, Oracle Secure Backup user joeblogg runs under operating system account root. On Windows systems, the restore operations runs under the same account as the Oracle Secure Backup service on the Windows client.

--listownjobs/-j { yes | no }

Grants users the right to view the following:

Status of scheduled, ongoing, and completed jobs that they configured
Transcripts for jobs that they configured

--modownjobs/-J { yes | no }

Grants users the right to modify only jobs that they configured.

--listanyjob/-y { yes | no }

Grants users the right to view the following:

Status of any scheduled, ongoing, and completed jobs
Transcripts for any job

--modanyjob/-Y { yes | no }

Grants users the right to make changes to all jobs.

--mailinput/-i { yes | no }

Enables users to receive email when Oracle Secure Backup needs manual intervention. Occasionally, during backup and restore operations, manual intervention of an operator is required. This situation can occur if a required volume cannot be found or a new tape is required to continue a backup. In such cases, Oracle Secure Backup sends email to all users who belong to classes having this right.

--mailerrors/-e { yes | no }

Enables users to receive email messages describing errors that occur during Oracle Secure Backup activity.

--querydevs/-q { yes | no }

Enables users query the state of devices.

--managedevs/-d { yes | no }

Enables users to control the state of devices by means of the obtool command.

--listconfig/-L { yes | no }

Enables users to list objects, for example, hosts, devices, and users, in the administrative domain.

--browse/-b browserights

Grants users browsing rights. Specify one of the following browserights values, which are listed in order of decreasing privilege:

privileged means that users can browse all directories and catalogs.
notdenied means that users can browse any catalog entries for which they are not explicitly denied access. This option differs from permitted in that it allows access to directories having no stat record stored in the catalog.
permitted means that users are bound by normal UNIX permissions checking (default). Specifically, Oracle Secure Backup users can only browse directories if at least one of the following conditions is applicable:
- The UNIX user defined in the Oracle Secure Backup identity is listed as the owner of the directory, and the owner has read rights.
- The UNIX group defined in the Oracle Secure Backup identity is listed as the group of the directory, and the group has read rights.
- Neither of the preceding conditions is met, but the UNIX user defined in the Oracle Secure Backup identity has read rights for the directory.
named means that users are bound by normal UNIX rights checking, except that others do not have read rights. Specifically, Oracle Secure Backup users can only browse directories if at least one of the following conditions is applicable:
- The UNIX user defined in the Oracle Secure Backup identity is listed as the owner of the directory, and the owner has read rights.
- The UNIX group defined in the Oracle Secure Backup identity is listed as the group of the directory, and the group has read rights.
none means that no user has no rights to browse any directory or catalog.

--orauser/-o { yes | no }

Enables users to perform Oracle backup and restore operations (yes or no). This right enables users to perform any SBT operation, regardless of what other rights they have. For example, a user with this right can perform SBT restore operations even if the perform restores as self right is set to no.

--orarights/-O oraclerights

Enables users with the specified rights to access Oracle database backups. The oraclerights placeholders can be any of the following values:

class means that users can access SBT backups created by any Oracle Secure Backup user in the same class.
all means that users can access all SBT backups.
none means that users have no rights to access SBT backups.
owner means that users can access only those SBT backups that they themselves have created (default).

classname ...

Specifies the name of the class to be created. Class names are case-sensitive and must start with an alphanumeric character. They can contain only letters, numerals, dashes, underscores, and periods (no spaces). They may contain at most 127 characters.

Example

Example 2-80 creates a class called backup_admin. The command accepts the default value of no for --listownjobs, --modownjobs, --listanyjob, --modanyjob, --managedevs, --orauser, and --orarights. Note that because of space constraints the mkclass command in the example spans multiple lines.

Example 2-80 Making a Class

ob> mkclass --listconfig yes --modself yes --modconfig yes --backupself yes
--backuppriv yes --restself yes --restpriv yes --mailinput yes --mailerrors yes
--querydevs yes --browse privileged backup_admin
ob> lsclass --long backup_admin
backup_admin:
    browse backup catalogs with this access:         privileged
    access Oracle backups:                           owner
    display administrative domain's configuration:   yes
    modify own name and password:                    yes
    modify administrative domain's configuration:    yes
    perform backups as self:                         yes
    perform backups as privileged user:              yes
    list any jobs owned by user:                     no
    modify any jobs owned by user:                   no
    perform restores as self:                        yes
    perform restores as privileged user:             yes
    receive email requesting operator assistance:    yes
    receive email describing internal errors:        yes
    query and display information about devices:     yes
    manage devices and change device state:          no
    list any job, regardless of its owner:           no
    modify any job, regardless of its owner:         no
    user can perform Oracle backups and restores:    no