From: Jonathan Birchall (Jonathan.Birchall@Xchanging.com)
Date: Mon May 21 2007 - 03:54:40 EDT
Thanks to William for the solution below.
Assuming you want all the DBAs to be able to stop/start all instances
In your SMF manifest, add a definition like this:
<!-- to start/stop oracle -->
<property_group name='general' type='framework'>
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.oracle' />
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.oracle' />
</property_group>
Then add a line like:
solaris.smf.manage.oracle:::Manage Oracle Service States::
to /etc/security/auth_attr
and modify the appropriate accounts to have the
solaris.smf.manage.oracle authorization
usermod -A solaris.smf.manage.oracle $user
when the user logs in again, they should have the ability to enable/
disable (permanently or temporarily)
the SMF services you modified.
If you wanted to have different DBAs able to modify different
instances, then make an authorization for each instance, like:
solaris.smf.manage.oracle.instance1
solaris.smf.manage.oracle.instance2
and assign those.
-- William D. Hathaway email: william.hathaway@versatile.com Solutions Architect aim: wdhPO Versatile, Inc. cell: 717-314-5461 On May 18, 2007, at 3:46 AM, Jonathan Birchall wrote: > Hello, > > > > I have built a sunfire v445 on which 3 seperate instances of oracle > 10g > are running. These are started by the SMF under different projects, > however I have coming up against a mental block as to have the oracle > user start these in thier respective projects using svcadm. > > > > I can configure the oracle users as a role and allow them service > manager rights but this does not allow the granularity required as the > oracle role then appears to be able to have full svcadm rights. I do > trust my DBA's but not that much. > > > > Has anyone done this, or could point me in the direction of a good > document which shows the project side of things. I have read the sun > blue print on starting apache as a non root user but this doesn't seem > to cover what I need, that or I dont quiet grasp the finer points. > > > > Regards > > Jonathan > _______________________________________________ > sunmanagers mailing list > sunmanagers@sunmanagers.org > http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:58 EDT