In TSCO, can the granted privileges provided to the BCO_OWN, BCO_DASH, and BCO_REP database users be restricted beyond the default grants?

Version 4
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    TrueSight Capacity Optimization


    COMPONENT:

    Capacity Optimization


    APPLIES TO:

    TrueSight Capacity Optimization 10.7, 10,5, 10.3, 10.0 ; BMC Capacity Optimization 9.5



    QUESTION:

    The question we have is whether TrueSight Capacity Optimization (TSCO) can be installed using the default set of grants provided to the database user roles and then during normal execution be run under a more restricted set of grants? Put another way, once the BCO installation is complete can default privileges granted to the TSCO database users be removed?

    For example we were thinking about setting up different grants to be used at install time versus during standard run time like this:

    Installation role for BCO_OWN, BCO_DASH:

    CREATE ROLE BCO_CREATE_ROLE NOT IDENTIFIED;
    GRANT CREATE SYNONYM TO BCO_CREATE_ROLE;
    GRANT CREATE TABLE TO BCO_CREATE_ROLE;
    GRANT CREATE VIEW TO BCO_CREATE_ROLE;
    GRANT CREATE SEQUENCE TO BCO_CREATE_ROLE;
    GRANT CREATE TYPE TO BCO_CREATE_ROLE;
    GRANT CREATE PROCEDURE TO BCO_CREATE_ROLE;
    GRANT CREATE TRIGGER TO BCO_CREATE_ROLE;
    GRANT CREATE OPERATOR TO BCO_CREATE_ROLE;

    Post installation role for BCO_OWN,BCO_DASH:

    CREATE ROLE BCO_ADMIN_ROLE NOT IDENTIFIED;
    GRANT CREATE TABLE TO BCO_ADMIN_ROLE;
    GRANT CREATE VIEW TO BCO_ADMIN_ROLE;

    Note: BCO_CAT_REP roles remains the same before and after the installation.

    CREATE ROLE BCO_REPORT_ROLE NOT IDENTIFIED;
    GRANT CREATE SESSION TO BCO_REPORT_ROLE;
    GRANT CREATE SYNONYM TO BCO_REPORT_ROLE;

    Would that be an acceptable configuration for BMC TrueSight Capacity Optimization?

    Applies to:

    TrueSight Capacity Optimization
    BMC Capacity Optimization


     


    ANSWER:

     

    Legacy ID:KA387528

      

    The support statement provided by the TrueSight Capacity Optimization (TSCO) Product Management team is that the only TSCO database user privileges we consider to be a supported configuration are the documented out of the box user permissions as set by the create_users_and_tablespaces.sql script and any other restricted steps of permissions would be considered an unsupported configuration since the product is designed under the assumption that the TSCO database user will have the full set of privileges that are assigned when the account is created by TSCO.

    The expectation is that most day to day features within TSCO should work with the restricted permissions set you have granted the user outside of the Administration -> System -> Maintenance activity actions (which will work in some cases but may not work in others). But the concern is that Development isn't actively working to design the product to work only with the limited permissions subset so at any point something could be done within the product that would make that subset insufficient.

    The list of standard user grants can be identified in the create_users_and_tablespaces_template_filesystem.sql script that is found in the product documentation for each release.  For example:  https://docs.bmc.com/docs/display/btco107/Preparing+to+install+without+a+sysdba+password#Preparingtoinstallwithoutasysdbapassword-Contentofcreate_users_and_tablespaces.sql

       Related Products:  
       
    1. BMC Capacity Optimization

     


    Article Number:

    000023807


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles