Local And Common Users in Oracle Database 12c

The Oracle 12c multitenant database can have two classes of users, whose rights and privileges need to be understood and harnessed to in order to manage the databases. 

§        Local users

o       Users who exist only within a single pluggable database (PDB)  - i.e. the one where they are created

§        Common users

o       Users who exist in all containers current and future and can navigate across them.

The table below compares the most important features of the common user against the local user side by side, and discusses plugging operations as applicable to common users.

Common user	Local user
The scope of this user is all current and future containers.	The scope of the local user is limited to the container in which it was created.
The common user’s scope is administrative and system duties across multiple containers.	The local user does not have an existence or meaning outside of his container.
Once created, the common user will be visible across all containers. However, such a user needs explicit grants to be able to connect to and do things a pdb. And his grants can differ from pdb to pdb. The common user can switch containers - if granted the required privileges. e.g. ALTER SESSION SET CONTAINER=hrpdb;	The local user cannot connect to the root. The local user will also need explicit grants like create session, etc to do things within his container. The local user cannot connect to a container other than the one in which the user was created.
A number of common users like SYS and SYSTEM are Oracle-supplied. Non-Oracle supplied common users can be user-created but their names must begin with C##.	Local users can be Oracle-supplied (e.g. sample schemas like SCOTT,HR) or user-created. Local user’s names cannot begin with C##, because that would make them a common user.

In the remaining sections, the creation and administration of local and common users is briefly discussed.

Also covered briefly are local and common grants.

Creating users in a 12c multitenant container database

Creating a local user

Local users can be created by CDB administrative users (CDB or PDB administrator) after connecting to the specific PDB.  The steps to create a local user are shown below.

1. Connect to the specific PDB as an administrative user. To connect to the specific PDB (PDB1) as the PDB dba, you can use easy-connect syntax as shown below. But, it is very important to connect to the correct container.

2. Issuer the CREATE USER command. And issue the CREATE SESSION and CREATE TABLE GRANTS.

3. Test the connectivity. In the screen below HR is able to connect to PDB1 but not to the root CDB1. That’s because HR is a local user – local to the PDB1 container only.

Creating a common user

The common user is a new kind of user in 12c, found in 12c multitenant databases. Once created, this user will be known and exist in all containers current and future.

Such a user can receive a special kind of GRANT, known as a common grant. A common grant is respected in all containers current and future, and is a powerful privilege. It should be issued to administrative users only.

The common user’s purpose is to administer multiple pluggable databases. Such a dba may be responsible to start/stop, restore/recover multiple PDBs – but only the ones to which he has been granted the necessary access.

Whereas, administration is something a PDB administrator can do within his pluggable database only.

The steps to create a common user are shown below.

Note:

This is a created common user and not a Oracle-supplied one. Therefore, the username must begin with C##.

1. Connect to the ROOT container as a privileged user like SYS.
2. Issue the CREATE USER command, and GRANT the CREATE SESSION privilege only.

Below, the GRANT was specified with CONTAINER=ALL, therefore this is a COMMON grant, valid across all containers.

3. Test the connectivity.

In another shell, start sqlplus and connect using the credentials of the new user, to the root and to the PDB1 container. Then try to switch containers with ALTER SESSION SET CONTAINER.

C##DBA1 can directly connect to the container CDB2 and PDB1.

But SWITCHing containers is not possible yet. That needs a GRANT SET CONTAINER.

4. Still connected to the root as SYSDBA, do a local GRANT, GRANTING the SET CONTAINER privilege to C##DBA1.

5. Test the switching ability. Now, the c##dba1 user can only switch from any container to the root, not vice versa. Because of the local nature of the grant, it is only respected in the root.

6. From the root, as SYSDBA, now do a common GRANT to allow the C##DBA1 to switch containers freely.

7. Test the connectivity. Now the C##DBA1 user is able to switch containers.

8. From the PDB1 container, as SYSDBA, GRANT the SYSOPER privilege to the user C##DBA1.
   

9. Note that the grant is a local grant. It allows C##DBA1 to start and stop the only PDB1 pluggable database. Check the ability of C##DBA1 to alter the availability of PDB1.

10. Check the access to other containers – he cannot connect as SYSOPER to other containers.

Conclusion:

Due to consolidation and large number of databases inside a multitenant container database, role separation and access control become important. Hence Oracle Database 12c introduced different classes of administrative users with different job scopes and different levels of access to the database.

Common users can be created and granted privileges to do administrative tasks across multiple PDBs or specific sets of PDBs.

GRANTS are local to the current container unless CONTAINER=ALL is specified.

Creating a multitenant container database using scripts

Creating a database in Oracle 12c.

Whereas dbca is available and the best tool to create a 12c database, it is also possible to create it using scripts.  The 12c multitenant option introduces some enhancements to the CREATE DATABASE syntax, as well as some new keywords related to container database creation.

This page explores the basic process of creating of a 12c multitenant container database, and a pluggable database, using scripts and explains the syntax.

Creation of the multitenant database using sql.

The database creation involves these steps broadly

1)    Configure storage locations for the new database

2)    Configure a temporary init.ora file with basic parameters

3)    Create the database using the create database ddl

4)    Execute post-database scripts, by using a workaround for the missing catcdb.sql script. (The missing script is now apparently fixed in the April release).

5)    Creating any pluggable databases needed.

Step # 1 – Configure storage locations and a sysdba password

The multi tenant container database will consist at least 2 (and eventually possible more) containers, the root and seed containers.

Each container will have at least the system, sysaux tablespaces and its necessary to set up storage locations for these containers.

The root container will contain at least the system, sysaux, 2 redo log groups, the CDB-WIDE undo tablespace and the CDB-WIDE temp tablespace.

The seed container can be used as a template for creating a pluggable database using the CREATE PLUGGABLE DATABASE command and could contain the commonly needed tablespaces like a default temp tablespace, a user data  tablespace, apart from the mandatory SYSTEM and SYSAUX

Other containers created with plug-in operations or the CREATE PLUGGABLE DATABASE command will need a place where their files go too.

The folder organization followed in this example is shown below, with a folder created per container.

The password can be configured using the orapwd tool as before.

Step # 2 – Configure a temp init.ora file

Oracle Database 12c introduces a new parameter ENABLE_PLUGGABLE_DATABASE which is the most important one for creating a multi-tenant container database. Below is a sample init.ora file configured with that parameter, which can bring up an instance in nomount mode prior to the CREATE DATABASE.

DB_NAME=CDB2

ENABLE_PLUGGABLE_DATABASE=TRUE

CONTROL_FILES='/u01/app/oracle/oradata/cdb2/root/control1.ctl',

              '/u01/app/oracle/oradata/cdb2/root/control2.ctl'

SGA_MAX_SIZE=2G

SGA_TARGET=1G

PGA_AGGREGATE_TARGET=600M

Step # 3 – Execute the CREATE DATABASE command

Start up the instance in NOMOUNT mode from SqPlus using the pfile init.ora configured in Step 2 and execute the CREATE DATABASE command.

The CREATE Database command has been enhanced with some multitenant related options. Below is a sample CREATE DATABASE command with a brief description of the options. (After the CREATE DATABASE, there is create SPFILE statement also )

At this stage normally its necessary to run catcdb.sql which creates the data dictionary, packages, db components needed to complete the database creation. 

However, the 12c r1 delivery for Unix does not contain this script – the workaround is to run a perl script, mentioned in Step #4.

Step # 4 – Run the dictionary creation scripts using catcon.pl

There is a perl script called catcon.pl, installed in the $ORACLE_HOME/rdbms/lib folder which can be invoked to execute the scripts like catalog.sql, catproc.sql, and pupbld.sql in the root and seed containers. It needs to be invoked from the perl interpreter binary called perl, and requires a couple of parameters to customize its working. This script accepts various parameters but the main ones are described here with reference to the example below:

Note:

Before executing perl, it is required to first set this environment variable.

$> export PERL5LIB=$ORACLE_HOME/rdbms/admin

$ > perl $ORACLE_HOME/rdbms/admin/catcon.pl -l /home/oracle -b catalog $ORACLE_HOME/rdbms/admin/catalog.sql

Parameter	Purpose
$ORACLE_HOME/rdbms/admin/catcon.pl	Location of the Oracle-provided perl script
-l /home/oracle	Specifies the base folder where the logs should be written
-b catalog	Specifies the base  name for the log files, they will be name-prefixed with this specified name
$ORACLE_HOME/rdbms/admin/catalog.sql	This is the name of the Oracle dictionary/component installer script to be run.

Below is a sample script which will call the 3 basic catalog creation scripts and complete the database creation. It can be run from Unix command line and should be run as the oracle home owner.

export PERL5LIB=$ORACLE_HOME/rdbms/admin

perl $ORACLE_HOME/rdbms/admin/catcon.pl -l /home/oracle -b catalog $ORACLE_HOME/rdbms/admin/catalog.sql

perl $ORACLE_HOME/rdbms/admin/catcon.pl -l /home/oracle -b catproc $ORACLE_HOME/rdbms/admin/catproc.sql

perl $ORACLE_HOME/rdbms/admin/catcon.pl -l /home/oracle -b pupbld $ORACLE_HOME/sqlplus/admin/pupbld.sql

The logs will be created in the /home/oracle folder and named catalog0.log, catalog1.log, etc. Any errors are logged in detail and failures are reported to the screen.

Step # 5 – Creating any pluggable databases needed

The pluggable database can be created inside a multitenant container database with the CREATE PLUGGABLE DATABASE statement. There are a number ways to create a PDB, we explore the creation from CDB in this example. Below is a sample CREATE PLUGGABLE DATABASE.

create pluggable database PDB1

 admin user pdb1_dba identified by oracle

 roles=(dba)

 file_name_convert=('/u01/app/oracle/oradata/cdb2/seed','/u01/app/oracle/oradata/cdb2/pdb1')

 storage (maxsize 2g max_shared_temp_size 500m)

Notes:

• The newly created database name is PDB1.
• It will be created using the seed data base as a template.
• The FILE_NAME_CONVERT parameter maps the seed datafile locations to corresponding ones for the PDB.
• The statement identifies an administrative user (pdb1_dba) with password oracle.
• The administrator is granted the DBA role which allows him to fully administer the PDB.
• There is a max disk usage restriction of 10GB and a max shared temp usage restriction of 1 GB.
• No resource plans or shares are configured either at the CDB or PDB level.
• The PDB needs to be opened at least once in read write mode for integrating it with the CDB, Upon opening, it goes from NEW to NORMAL status

Screenshot showing creation of a pluggable database using the seed as a template:

Conclusion

CDB and pluggable db creation is possible with scripts, as well as with dbca, but as compared to a NONCDB, CDB administration requires a more careful planning and organization of resources like storage,memory,cpu,etc. because multiple databases could be be running off it, due to consolidation. 

It is necessary in a multi tenant environment to ensure accurate connections to the proper services, by configuring the listeners and listening ports.

Thought should also be given to resource management, and Oracle Database 12c supports a two-tier resource plan based on resource shares to distribute the the resources first among the PDBs as a fraction/share of the total available, and within the CDB, among its resource consumer groups.