HELPLIB.HLB  —  RMU72  Set  Privilege  Usage Notes
    o  You must have the RMU$SECURITY privilege in the root file ACL
       for a database or the OpenVMS SECURITY or BYPASS privilege
       to use the RMU Set Privilege command for the database. The
       RMU$SECURITY access is VMS BIT_15 access in the ACE. You can
       grant yourself BIT_15 access by using the DCL SET ACL command
       if you have (READ+WRITE+CONTROL) access.

    o  By default, a root file ACL is created for every Oracle Rdb
       database. In some cases, the root file ACL may not allow
       the appropriate Oracle RMU access for the database to all
       Oracle RMU users. In these situations, you must use the RMU
       Set Privilege command to modify the root file ACL to give the
       appropriate Oracle RMU access to Oracle RMU users. Privileges
       Required for Oracle RMU Commands shows the privileges required
       to access each Oracle RMU command.

    o  The root file ACL created by default on each Oracle Rdb
       database controls only a user's Oracle RMU access to the
       database (by specifying privileges that will allow a user or
       group of users access to specific Oracle RMU commands). Root
       file ACLs do not control a user's access to the database with
       SQL statements.

       A user's access to a database with SQL statements is governed
       by the privileges granted to the user in the database ACL
       (the ACL that is displayed using the SQL SHOW PROTECTION ON
       DATABASE command).

    o  If you find that the root file ACL has changed, or is not
       set as expected, it may be because a layered product has
       manipulated the OpenVMS directory or file ACLs. This can
       result in the unintentional alteration of an Oracle RMU access
       right.

       For example, Oracle CDD/Repository may use the following ACE:

       (IDENTIFIER=[*,*],OPTIONS=DEFAULT+PROPAGATE,ACCESS=NONE)

       If this ACE is propagated to an Oracle Rdb database, such
       as CDD$DATABASE or CDD$TEMPLATE, OpenVMS privileges may be
       required to manage that database. Or, you can use the RMU Set
       Privilege command to change the ACL on the affected database.

    o  If you need to move a database from one system to another, you
       should be aware that the identifiers used in the database's
       root file ACL on the source system are not likely to be
       valid identifiers on the destination system. Thus, if the
       database root file ACL from the source system is moved to the
       destination system without modification, only those users with
       the same identifiers on both systems have the same Oracle RMU
       access to the database on the destination system as they had
       to the database on the source system.

       For example, suppose that the mf_personnel database with the
       following root file ACL is moved from its current system to
       another node. If the database root file ACL is moved without
       modification to the destination node, the users USER, USER2,
       USER3, USER4, and USER5 will not have any Oracle RMU access to
       the database on the destination node unless they have the same
       identities on the destination node.

       $ RMU/SHOW PRIVILEGE MF_PERSONNEL.RDB
       Object type: file, Object name:SQL_USER:[USER]MF_PERSONNEL.RDB;1,
       on 31-MAR-1992 15:48:36.24

          (IDENTIFIER=[SQL,USER],ACCESS=READ+WRITE+CONTROL+RMU$ALTER+
          RMU$ANALYZE+RMU$BACKUP+RMU$CONVERT+RMU$COPY+RMU$DUMP+RMU$LOAD+
          RMU$MOVE+RMU$OPEN+RMU$RESTORE+RMU$SECURITY+RMU$SHOW+RMU$UNLOAD+
          RMU$VERIFY)
          (IDENTIFIER=[SQL,USER2],ACCESS=RMU$ANALYZE+RMU$OPEN+RMU$VERIFY)
          (IDENTIFIER=[SQL,USER3],ACCESS=RMU$SECURITY)
          (IDENTIFIER=[RDB,USER4],ACCESS=RMU$BACKUP+RMU$CONVERT+RMU$DUMP+
          RMU$RESTORE)
          (IDENTIFIER=[RDB,USER5],ACCESS=RMU$LOAD+RMU$SHOW)
          (IDENTIFIER=[*,*],ACCESS=NONE)

    o  The following list describes some ways to move a database from
       one node to another and explains what happens to the original
       root file ACL in each scenario:

       -  RMU Restore command

          First, use the RMU Backup command to back up the database
          on the source node and to create an .rbf file. Then, copy
          the .rbf file from the source node to the destination
          node. When you use the RMU Restore command to re-create
          the database from the source node on the destination node,
          the database on the destination node will have the same
          root file ACL as the database on the source node. If a
          user with the RMU$SECURITY privilege in the root file
          ACL on the source node has the same identifier on the
          destination node, that user can modify the root file ACL
          on the destination node to grant users the privileges they
          need for Oracle RMU access to the database. Otherwise, a
          user with one of the OpenVMS override privileges (SECURITY
          or BYPASS) needs to modify the root file ACL.

       -  RMU Restore command with the Noacl qualifier

          First, use the RMU Backup command to back up the database
          on the source node and to create an .rbf file. Then, copy
          the .rbf file from the source node to the destination
          node. When you use the RMU Restore command with the Noacl
          qualifier to re-create the database from the source node on
          the destination node, the database on the destination node
          is created with an empty root file ACL. A user with one of
          the OpenVMS override privileges (SECURITY or BYPASS) needs
          to modify the root file ACL to grant users the privileges
          they need for Oracle RMU access to the database.

       -  SQL IMPORT statement

          First, use the SQL EXPORT statement on the source node
          to create an .rbr file. Then, copy the .rbr file from the
          source node to the destination node. When you use the SQL
          IMPORT statement on the destination node, the imported
          database is created with the same root file ACL as existed
          on the database on the source node. If a user with the
          RMU$SECURITY privilege in the root file ACL on the source
          node has the same identifier on the destination node, that
          user can modify the root file ACL on the destination node
          to grant users the privileges they need for Oracle RMU
          access to the database. Otherwise, a user with one of the
          OpenVMS override privileges (SECURITY or BYPASS) needs to
          modify the root file ACL to grant users the privileges they
          need for Oracle RMU access to the database.

       -  SQL IMPORT NO ACL statement

          First, use the SQL EXPORT statement on the source node to
          create an .rbr file. Then, copy the .rbr file from the
          source node to the destination node. When you use the
          SQL IMPORT NO ACL statement on the destination node, the
          imported database is created with a root file ACL that
          contains one ACE. The single ACE will grant the OpenVMS
          READ, WRITE, and CONTROL privileges plus all the Oracle RMU
          privileges to the user who performed the IMPORT operation.
          The user who performed the IMPORT operation can modify the
          root file ACL to grant users the privileges they need for
          Oracle RMU access to the database.
Close Help