on 09-16-2009 11:59 AM
As topic, which are the minimum requirements under Server Rights for a DBM Operator that will be used for doing backups and recovery?
Scenario 2 on this link looks helpful, http://maxdb.sap.com/doc/7_7/44/eb1670b6f0108ee10000000a11466f/content.htm, but SERVERRIGHTS=Backup,Recovery,ParamCheckWrite,Scheduling seems to be insufficient.
Please advice.
>SERVERRIGHTS=Backup,Recovery,ParamCheckWrite,Scheduling seems to be insufficient.
How so ?
dbmcli -d db770 -u control,control
dbmcli on db770>user_create backdba,backdba
OK
---
dbmcli on db770>user_put backdba serverrights=+BACKUP,+RECOVERY
OK
---
dbmcli on db770>user_logon backdba,backdba
OK
---
dbmcli on db770>medium_getall
OK
db770full C:\sapdb\backup\db770full FILE DATA 0 8 YES NO 20080128154830
20080128154830 NONE 0
db770log C:\sapdb\backup\db770log FILE AUTO 0 8 NO NO 20080128154846
20080128154846 NONE 0
db770log_ADSM \\.\pipe\DB770_log PIPE LOG 0 8 NO NO 20080619183107 20080619
183107 TSM 0
---
dbmcli on db770>db_connect
OK
---
dbmcli on db770>backup_start db770full data
OK
Returncode 0
Date 20090916
Time 00143911
Server *********************************
Database DB770
Kernel Version Kernel 7.7.06 Build 009-123-202-944
Pages Transferred 6560
Pages Left 0
Volumes 1
Medianame db770full
Location C:\sapdb\backup\db770full
Errortext
Label DAT_000000027
Is Consistent true
First LOG Page 24668
Last LOG Page
DB Stamp 1 Date 20090916
DB Stamp 1 Time 00143910
DB Stamp 2 Date
DB Stamp 2 Time
Page Count 6540
Devices Used 1
Database ID *********************************:DB770_20090818_152213
Max Used Data Page 0
Converter Page Count 19
---
dbmcli on db770>
Works for me...
regards,
Lars
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Lars, thanks for quick replies. I really appreciate it.
Since we are running on Windows I´ve posted some screenshots:
Now finally we get closer to your issue.
You don't have problems taking backups with the reduced serverrights I demonstrated.
What you do have are problems with using DBMGUI with the reduced serverrights.
This is something completely different.
The GUI tools use a lot of features that aren't exactly necessary just to run a backup (as I showed it).
Therfore you've to provide much more permissions to make it work via DBMGUI or BACKUP Wizard:
dbmcli on db770>user_getrights backdba serverrights
OK
DBInfoRead + Request status data
SystemCmd - Execute operating system commands
ExecLoad - Execute the LOAD program
UserMgm - User management
DBFileRead - Database file access (read only)
Backup + Saving backups
InstallMgm + Installation management
LoadSysTab + Load the system tables
ParamCheckWrite + Parameter access (checked write)
ParamFull + Parameter access (read and write)
ParamRead + Parameter access (read only)
DBStart + Start database instance
DBStop - Stop database instance
Recovery + Restoring backups
AccessSQL + Access to SQL session
AccessUtility + Access to utility session
SharedMemoryMgm - Shared memory management
SchedulerMgm + Scheduler management
Scheduling - Scheduler use
EvtDispMgm + Event Dispatcher management
EvtDisp - Event Dispatcher use
However, I don't see the point here.
What's wrong for a database backup admin to run the dbmcli command?
He shouldn't do anything else, right?
Therfore there's no need to give this dba the full blown DBMGUI access to do everything.
regards,
Lars
Hello again,
the screenshot you posted the link to shows a permission error caused by "user_getrights" command.
I'd be very surprised to find this being issued by the data protector.
As the dataprotector really shouldn't require the permission set to run the DBMGUI, the few permssions I posted before should definitively be enough.
Maybe you want to check with the dataprotector guys about what exactly they're doing when they trigger backups, e.g. what exact dbm commands they call.
regards,
Lars
BTW:
even if you're on windows you can use the logfiles and the command line interface. It's easier to post in the forum that way.
In case anyone finds this old thread in a web search (as I did, for "data protector maxdb rights"), the following minimum permissions have worked for the DBM user configured for the Data Protector integration:
(In dbmcli)
user_put user SERVERRIGHTS=+InstallMgm,+Recovery,+Backup,+ParamCheckWrite,+DBInfoRead
Verification:
user_getrights user SERVERRIGHTS
Expected output with plus '+' signs:
...
InstallMgm + Installation management
...
Recovery + Restoring backups
Backup + Saving backups
...
ParamCheckWrite + Parameter access (checked write)
...
DBInfoRead + Request status data
...
Suggested user:
DATAPROTECTOR
(It is long, but you will not be typing it in interactively but instead can copy and paste it into the Data Protector integration, and using a longer name since not aware of a way to add a comment or description for a DBM user.)
With the above rights minus DBInfoRead, the following error was encountered by Data Protector:
-24937,ERR_MISSRIGHT: No permission for DBM command user_getrights
(As of this post, the Data Protector 9.06 Integration Guide documented the other rights as necessary but did not mention DBInfoRead. I have sent documentation feedback to HPE.)
Tested environment:
Data Protector 9.05
MaxDB 7.9
HP-UX 11.31
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.