Privilege elevation requirements for Oracle EBS

The optional Privilege Elevation feature allows a non-privileged environment user (e.g., delphix_os) to gain the permissions of a privileged environment user (e.g., oravis) for operations on the staging or target environments. This configuration can be valuable to maximize an environment's security posture. 

The (delphix_os) user is a low-privileged user that the Continuous Data platform will use to ingest and provision or refresh the DBTier on source and target hosts. The (delphix_os) user will elevate to the Oracle user to perform the required workflows.

Change the username to match with your host username.

Directions

First, the Privilege Elevation script, dlpx_db_exec, must be created and uploaded onto the Delphix Continuous Data Engine. Then, the non-privileged environment user must be granted the appropriate permissions..

Upload the privilege elevation script

Perform one of the following  methods to upload the privilege elevation script:

a) CURL file upload method

Before running any of the following  commands, update <CONTINUOUS-DATA-FQDN-or-IP>,  <USERNAME>, and <PASSWORD> placeholder values.

  1. Create a session with the Delphix Continuous Data Engine.

    1. Also, update the version values for  `major`, `minor`, and `micro` fields. 

    The correct values for your Delphix Continuous Data Engine version can be found in the API version information.

    curl -i -c cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/session -d '{
    "version":{
        "major":1, 
        "minor":11,
        "micro": 5, 
        "type":"APIVersion"    },
    "type":"APISession"}'

  2. Login to Delphix Continuous Data Engine as the `admin` user.

    curl -i -c cookies.txt -b cookies.txt -X POST -H "Content-Type:application/json" https://<CONTINUOUS-DATA-FQDN-or-IP>/resources/json/delphix/login -d '{
    "username":"<USERNAME>",
    "password":"<PASSWORD>",
    "type":"LoginRequest",
    "target":"DOMAIN"}'

  3. Copy DLPX_DB_EXEC contents to the Delphix Continuous Data Engine.

    curl -i -b cookies.txt -X POST -H "Content-Type:application/json" http://<Delphix-Engine>/resources/json/delphix/host/privilegeElevation/profileScript/HOST_PRIVILEGE_ELEVATION_PROFILE_SCRIPT-7 -d '{
    "type": "HostPrivilegeElevationProfileScript",
    "contents": "#\n# Copyright (c) 2018 by Delphix. All rights reserved.\n#\n\n#\n# This script allows customization of command execution with an alternate user\n# account.\nif [[ $1 != -u* ]]; then\n    echo \"Incorrect command line parameters, -u<optional user account> is required as the first parameter\"\n exit 1\nfi\nuser_id=`echo $1 | sed -e \"s\/^-u\/\/\"`\n\nshift 1\nif [[ $user_id != \"delphix_os\" ]]; then\ncommand=$(printf \"%s \" \"$@\")\nsudo su - $user_id -c \"$command\"\nelse\n$@\nfi\n"    }'

Content of DLPX_DB_EXEC Privilege Elevation Profile: 

#!/bin/sh
#
# Copyright (c) 2024 by Delphix. All rights reserved.
#
# This script allows customization of command execution with an alternate user
# account.
# Arg $1 contains "-u<optional user account>" for the desired user under
# which database commands will be executed.
# By default this argument is ignored and the script is executed as the default
# account.
#
if [[ $1 != -u* ]]; then
   echo "Incorrect command line parameters, -u<optional user account> is required as the first parameter"   exit 1
fi
user_id=`echo $1 | sed -e "s/^-u//"`
shift 1
if [[ $user_id != "delphix_os" ]]; then
    command=$(printf "%s " "$@")
    sudo su - $user_id -c "$command"else
    $@
fi
If the dlpx_db_exec script is updated after the environment(s) is added, refresh the environment to propagate the changes.

CLI Method

For steps on creating a Privilege Elevation Profile, refer to CLI Cookbook: How to create or edit privilege elevation profiles and profile scripts.

Configure sudo privileges to grant Privilege Elevation

With Privilege Elevation, all EBS connector commands are run via the dlpx_db_exec script and within this script the commands are run using ‘sudo’. In order to execute the connector commands as the high-privileged environment user, sudoers entries are required.

To add additional sudoers entries you need to edit the /etc/sudoers file. Run the following  commands to open the `sudoers’ file:

vi /etc/sudoers
# or
visudo
Third party tools like `visudo`, can be helpful in minimizing syntax errors.

Sudoers entry for Linux

Entries required for provisioning via low privileged user (delphix_os) on target EBS DB Tier

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - oravis -c /bin/mount, /bin/su - oravis -c /bin/umount, /bin/su - oravis -c echo *, /bin/su - oravis -c ls *, /bin/su - oravis -c export *, /bin/su - oravis -c test*mkdir*, /bin/su - oravis -c test*touch*chmod 750*cat*, /bin/su - oravis -c */EBS_kill/kill_script.sh*, /bin/su - oravis -c rm -f */test_status.tmp*, /bin/su - oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*, /bin/su - oravis -c rm -f */dlpx_force_autoflush*, /bin/su - oravis -c */*.env*bin/lsnrctl status*, /bin/su - oravis -c */*.env*/addlnctl.sh*, /bin/su - oravis -c rm -f /u01/oracle/VIS/*/.delphix_adpreclone.lck*, /bin/su - oravis -c rm -rf */appsutil/clone/dbts*, /bin/su - oravis -c touch /u01/oracle/VIS/*/.delphix_adpreclone.lck*, /bin/su - oravis -c */bin/runInstaller -silent -detachHome*, /bin/su - oravis -c export PATH* export PERL5LIB*perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /bin/su - oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */adpreclone.pl dbTechStack*, /bin/su - oravis -c cd *; make -f ins_rdbms.mk*ioracle*, /bin/su - oravis -c cd *; make -f ins_rdbms.mk dnfs_off*, /bin/su - oravis -c rm -f *bak, /bin/su - oravis -c mv *, /bin/su - oravis -c */*.env*sqlplus*, /bin/su - oravis -c */*.env*perl */appsutil/clone/bin/adcfgclone.pl dbconfig*, /bin/su - oravis -c */*.env*perl */appsutil/scripts/*/adpreclone.pl*, /bin/su - oravis -c sed*sqlnet.ora*, /bin/su - oravis -c */*.env*sqlplus apps*, /bin/su - oravis -c */*.env*; make -f *rdbms/lib/ins_rdbms.mk dnfs_off*, /bin/su - oravis -c */*.env*; ln -s *, /bin/mount, /bin/umount, /bin/ps, /bin/mkdir, /bin/su - oravis -c source*perl*txkGenCDBTnsAdmin.pl*, /bin/su - oravis -c */*.env*perl */appsutil/bin/txkCfgUtlfileDir.pl -contextfile*, /bin/su - oravis -c */*.env* mkdir -p*, /bin/su - oravis -c chmod 775 *dbs*, /bin/su - oravis -c chmod 6751 */bin/oracle*, /bin/su - oravis -c cp *dlpx_force_autoflush.pm*, /bin/su - oravis -c chmod 755 */dlpx_force_autoflush*, /bin/su - oravis -c umask*touch *source_apps_file.txt, /bin/su - oravis -c mkdir -p*, /bin/su - oravis -c cp *pairsfile*, /bin/su - oravis -c *perl -mdlpx_force_autoflush */adclonectx.pl*, /bin/su - oravis -c *perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /bin/su - oravis -c touch */.delphix_adpreclone.lck*, /bin/su - oravis -c rm -f */.delphix_adpreclone.lck*, /bin/su - oravis -c chmod 755 *hooksUtil*,  /bin/su - oravis -c set -o *hooksUtil*, /bin/su - oravis -c mkdir *hooksUtil*, /bin/su - oravis -c *perl */appsutil/scripts/*/adpreclone.pl dbTier*,  /bin/su - oravis -c ls *, /bin/su - oravis -c wc -c */adpreclone.pl*, /bin/su - oravis -c cat*adpreclone.pl*, /bin/su - oravis -c */*.env*/adcdblnctl.sh*, /bin/su - oravis -c sed*, /bin/su - oravis -c *echo*, /bin/su - oravis -c *env*, /bin/su - oravis -c *ss*, /bin/su - oravis -c cp*adpreclone.pl*, /bin/su - oravis -c cp*adcrdb.sh*, /bin/su - oravis -c *adautocfg.sh*

Entries required for provisioning via low privileged user (delphix_os) on target EBS AppsTier

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - applvis -c echo *, /bin/su - applvis -c rm *.dlpx_run_edition*, /bin/su - applvis -c rm -f *dlpx_force_autoflush*, /bin/su - applvis -c cd *echo *dlpx_force_autoflush*, /bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adpreclone.pl appsTier*, /bin/su - applvis -c */rsync*, /bin/su - applvis -c test*mkdir*, /bin/su - applvis -c test*touch*chmod 750*cat*, /bin/su - applvis -c */EBS_kill/kill_script.sh*, /bin/su - applvis -c rm -f */test_status.tmp*, /bin/su - applvis -c */*.env* sqlplus -s *apps*, /bin/su - applvis -c */adstrtal.sh*, /bin/su - applvis -c */adstpall.sh*, /bin/su - applvis -c */*.env* cd *adautocfg.sh*, /bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adcfgclone.pl appsTier*, /bin/su - applvis -c *perl -mdlpx_force_autoflush */adclonectx.pl addnode contextfile*pairsfile*outfile*, /bin/su - applvis -c *adadminsrvctl.sh*, /bin/su - applvis -c *admanagedsrvctl.sh*, /bin/su - applvis -c *adnodemgrctl.sh*, /bin/su - applvis -c */*.env* cd *perl -mdlpx_force_autoflush ./txkUpdateEBSDomain.pl*contextfile*action*updateAdminPassword*, /bin/su - applvis -c */bin/runInstaller -silent -detachHome*, /bin/su - applvis -c rm -rf */inst/apps/*, /bin/su - applvis -c rm -rf *FMW_Home*, /bin/su - applvis -c rm -rf *fs*, /bin/su - applvis -c find*exec rm -rf *, /bin/su - applvis -c cp */inst/apps/*appl/admin* */inst/apps/*, /bin/su - applvis -c */*EBSapps.env*perl */patch/115/bin/txkSetAppsConf.pl*contextfile*configoption*oacore*oafm*forms*formsc4ws*, /bin/su - applvis -c rsync -aH --delete --ignore-errors */EBSapps/ */EBSapps/*, /bin/su - applvis -c rm */serviceStartfile.tmp*, /bin/su - applvis -c rm -rf */change_apps_password*, /bin/su - applvis -c mkdir -p */change_apps_password*, /bin/su - applvis -c */*.env* run; cd */change_apps_password*/fnd/12.0.0/bin/FNDCPASS*apps*system*SYSTEM APPLSYS*, /bin/su - applvis -c */*.env* sqlplus *apps*, /bin/su - applvis -c */*.env* rm -f */updateDSpwd.py*cat */updateDSpwd.py*, /bin/su - applvis -c */*.env*/adautocfg.sh*, /bin/su - applvis -c */*.env* rm -f */serverStateAll.py*cat*serverStateAll.py*, /bin/su - applvis -c */*.env* run; */wlserver_10.3/common/bin/wlst.sh */updateDSpwd.py*, /bin/su - applvis -c */*.env*; */wlserver_10.3/common/bin/wlst.sh */serverStateAll.py*, /bin/su - applvis -c *lsof*, /bin/su - applvis -c *sed *, /bin/su - applvis -c */*.env*;*adapcctl.sh status*, /bin/mount, /bin/umount, /bin/ps, /bin/su - applvis -c find*, /bin/su - applvis -c cp *dlpx_force_autoflush.pm*, /bin/su - applvis -c *perl -mdlpx_force_autoflush ./adcfgclone.pl appsTier*, /bin/su - applvis -c cat*serverStateAll.py*, /bin/su - applvis -c cat*updateDSpwd.py*, /bin/su - applvis -c mkdir -p */pairsdir*, /bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush *adpreclone.pl appsTier*, /bin/su - applvis -c mv *scratch_file* *, /bin/su - applvis -c pmap -r*, /bin/su - applvis -c */*.env* patch; */wlserver_10.3/common/bin/wlst.sh */updateDSpwd.py*, /bin/su - applvis -c */*.env* run; */adcmctl.sh status*, /bin/su - applvis -c set -o pipefail; cat*tee */.*_pairs.txt*, /bin/su - applvis -c cat*_pairs.txt*, /bin/su - applvis -c chmod 755  */.*_pairs.txt*, /bin/su - applvis -c *perl -mdlpx_force_autoflush */adcfgclone.pl*appsTier*, /bin/su - applvis -c wc -c *, /bin/su - applvis -c cat*FMW_Home/*/config/config.xml*, /bin/su - applvis -c cat*appl/admin/*.xml*, /bin/su - applvis -c rm -f *updateDSpwd.py, /bin/su - applvis -c *kill*

Entries required for linking via low privileged user (delphix_os) on source EBS DB Tier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - oravis -c echo *, /bin/su - oravis -c rm -f */dlpx_force_autoflush*, /bin/su - oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*, /bin/su - oravis -c rm -rf */appsutil/clone/dbts*, /bin/su - oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */adpreclone.pl dbTier*, /bin/su - oravis -c */rsync*, /bin/su - oravis -c test*mkdir*, /bin/su - oravis -c test*touch*chmod 750*cat*, /bin/su - oravis -c */EBS_kill/kill_script.sh*, /bin/su - oravis -c rm -f */test_status.tmp*, /bin/ps, /bin/su - oravis -c cp *dlpx_force_autoflush.pm*, /bin/su - oravis -c chmod 755 */dlpx_force_autoflush*

Entries required for linking via low privileged user (delphix_os) on source EBS AppsTier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /bin/su - applvis -c echo *, /bin/su - applvis -c rm *.dlpx_run_edition*, /bin/su - applvis -c rm -f */dlpx_force_autoflush*, /bin/su - applvis -c cd *echo *dlpx_force_autoflush*, /bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adpreclone.pl appsTier*, /bin/su - applvis -c */rsync*, /bin/su - applvis -c test*mkdir*, /bin/su - applvis -c test*touch*chmod 750*cat*, /bin/su - applvis -c */EBS_kill/kill_script.sh*, /bin/su - applvis -c rm -f */test_status.tmp*, /bin/su - applvis -c *.env* sqlplus -s apps*, /bin/su applvis -c *.env* sqlplus -s apps*, /bin/su - applvis -c */*.env*echo*adadminsrvctl.sh status -nopromptmsg*, /bin/ps, /bin/su - applvis -c cp*dlpx_force_autoflush.pm*, /bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush */adpreclone.pl appsTier*, /bin/su - applvis -c source*/EBSapps.env*run*, /bin/su - applvis -c *adadminsrvctl.sh status*

Sudoers entry for Solaris

Entries required for linking via low privileged user (delphix_os) on source EBS DB Tier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oravis -c echo *, /usr/bin/su - oravis -c rm *.dlpx_run_edition*, /usr/bin/su - oravis -c rm -f */dlpx_force_autoflush*, /usr/bin/su - oravis -c cd *echo *dlpx_force_autoflush*, /usr/bin/su - oravis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adpreclone.pl appsTier*, /usr/bin/su - oravis -c */rsync*, /usr/bin/su - oravis -c test*mkdir*, /usr/bin/su - oravis -c test*touch*chmod 750*cat*, /usr/bin/su - oravis -c */EBS_kill/kill_script.sh*, /usr/bin/su - oravis -c rm -f */test_status.tmp*, /usr/bin/su - oravis -c *.env* sqlplus -s apps*, /usr/bin/su oravis -c *.env* sqlplus -s apps*, /usr/bin/su - oravis -c */*.env*echo*adadminsrvctl.sh status -nopromptmsg*, /bin/ps, /usr/bin/su - oravis -c cp *dlpx_force_autoflush.pm*, /usr/bin/su - oravis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush */adpreclone.pl appsTier*

Entries required for linking via low privileged user (delphix_os) on source EBS AppsTier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - applvis -c echo *, /usr/bin/su - applvis -c rm *.dlpx_run_edition*, /usr/bin/su - applvis -c rm -f */dlpx_force_autoflush*, /usr/bin/su - applvis -c cd *echo *dlpx_force_autoflush*, /usr/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adpreclone.pl appsTier*, /usr/bin/su - applvis -c */rsync*, /usr/bin/su - applvis -c test*mkdir*, /usr/bin/su - applvis -c test*touch*chmod 750*cat*, /usr/bin/su - applvis -c */EBS_kill/kill_script.sh*, /usr/bin/su - applvis -c rm -f */test_status.tmp*, /usr/bin/su - applvis -c *.env* sqlplus -s apps*, /usr/bin/su applvis -c *.env* sqlplus -s apps*, /usr/bin/su - applvis -c */*.env*echo*adadminsrvctl.sh status -nopromptmsg*, /bin/ps, /usr/bin/su - applvis -c cp *dlpx_force_autoflush.pm*, /usr/bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush */adpreclone.pl appsTier*

Entries required for provisioning via low privileged user (delphix_os) on target EBS DB Tier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oravis -c /usr/sbin/mount, /usr/bin/su - oravis -c /usr/sbin/umount, /usr/bin/su - oravis -c echo *, /usr/bin/su - oravis -c export *, /usr/bin/su - oravis -c test*mkdir*, /usr/bin/su - oravis -c test*touch*chmod 750*cat*, /usr/bin/su - oravis -c */EBS_kill/kill_script.sh*, /usr/bin/su - oravis -c rm -f */test_status.tmp*, /usr/bin/su - oravis -c cp -f */dlpx_force_autoflush*; chmod 755 */dlpx_force_autoflush*, /usr/bin/su - oravis -c rm -f */dlpx_force_autoflush*, /usr/bin/su - oravis -c */*.env*bin/lsnrctl status*, /usr/bin/su - oravis -c */*.env*/addlnctl.sh*, /usr/bin/su - oravis -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su - oravis -c rm -rf */appsutil/clone/dbts*, /usr/bin/su - oravis -c touch */.delphix_adpreclone.lck*, /usr/bin/su - oravis -c */bin/runInstaller -silent -detachHome*, /usr/bin/su - oravis -c export PATH* export PERL5LIB*perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /usr/bin/su - oravis -c export PERL5LIB*perl -mdlpx_force_autoflush */adpreclone.pl dbTechStack*, /usr/bin/su - oravis -c cd *; make -f ins_rdbms.mk*ioracle*, /usr/bin/su - oravis -c cd *; make -f ins_rdbms.mk dnfs_off*, /usr/bin/su - oravis -c rm -f *bak, /usr/bin/su - oravis -c mv *, /usr/bin/su - oravis -c */*.env*sqlplus* as sysdba*, /usr/bin/su - oravis -c */*.env*perl */appsutil/clone/bin/adcfgclone.pl dbconfig*, /usr/bin/su - oravis -c */*.env*perl */appsutil/scripts/*/adpreclone.pl database*, /usr/bin/su - oravis -c sed*sqlnet.ora*, /usr/bin/su - oravis -c */*.env*sqlplus apps*, /usr/bin/su - oravis -c */*.env*; make -f *rdbms/lib/ins_rdbms.mk dnfs_off*, /usr/bin/su - oravis -c */*.env*; ln -s *, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/ps, /usr/bin/mkdir, /usr/bin/su - oravis -c source* -dboraclehome* perl*txkGenCDBTnsAdmin.pl*, /usr/bin/su - oravis -c */*.env*perl */appsutil/bin/txkCfgUtlfileDir.pl -contextfile*, /usr/bin/su - oravis -c */*.env* mkdir -p*, /usr/bin/su - oravis -c chmod 775 *dbs*, /usr/bin/su - oravis -c chmod 6751 */bin/oracle*, /usr/bin/su - oravis -c cp *dlpx_force_autoflush.pm*, /usr/bin/su - oravis -c chmod 755 */dlpx_force_autoflush*, /usr/bin/su - oravis -c umask*touch *source_apps_file.txt, /usr/bin/su - oravis -c mkdir -p*, /usr/bin/su - oravis -c cp *pairsfile*, /usr/bin/su - oravis -c *perl -mdlpx_force_autoflush */adclonectx.pl*, /usr/bin/su - oravis -c *perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /usr/bin/su - oravis -c touch */.delphix_adpreclone.lck*, /usr/bin/su - oravis -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su - oravis -c chmod 755 *hooksUtil*,  /usr/bin/su - oravis -c set -o *hooksUtil*, /usr/bin/su - oravis -c mkdir *hooksUtil*, /usr/bin/mkdir, /usr/bin/rmdir, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/pargs, /usr/bin/ps, /usr/bin/netstat

Entries required for provisioning via low privileged user (delphix_os) on target EBS AppsTier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - applvis -c echo *, /usr/bin/su - applvis -c rm *.dlpx_run_edition*, /usr/bin/su - applvis -c rm -f *dlpx_force_autoflush*, /usr/bin/su - applvis -c cd *echo *dlpx_force_autoflush*, /usr/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adpreclone.pl appsTier*, /usr/bin/su - applvis -c */rsync*, /usr/bin/su - applvis -c test*mkdir*, /usr/bin/su - applvis -c test*touch*chmod 750*cat*, /usr/bin/su - applvis -c */EBS_kill/kill_script.sh*, /usr/bin/su - applvis -c rm -f */test_status.tmp*, /usr/bin/su - applvis -c */*.env* sqlplus -s *apps*, /usr/bin/su - applvis -c */adstrtal.sh*, /usr/bin/su - applvis -c */adstpall.sh*, /usr/bin/su - applvis -c */*.env* cd *adautocfg.sh*, /usr/bin/su - applvis -c export PATH* export PERL5LIB* cd *perl -mdlpx_force_autoflush ./adcfgclone.pl appsTier*, /usr/bin/su - applvis -c *perl -mdlpx_force_autoflush */adclonectx.pl addnode contextfile*pairsfile*outfile*, /usr/bin/su - applvis -c *adadminsrvctl.sh*, /usr/bin/su - applvis -c *admanagedsrvctl.sh*, /usr/bin/su - applvis -c *adnodemgrctl.sh*, /usr/bin/su - applvis -c */*.env* cd *perl -mdlpx_force_autoflush ./txkUpdateEBSDomain.pl*contextfile*action*updateAdminPassword*, /usr/bin/su - applvis -c */bin/runInstaller -silent -detachHome*, /usr/bin/su - applvis -c rm -rf */inst/apps/*, /usr/bin/su - applvis -c rm -rf *FMW_Home*, /usr/bin/su - applvis -c rm -rf *fs*, /usr/bin/su - applvis -c find*exec rm -rf *, /usr/bin/su - applvis -c cp */inst/apps/*appl/admin* */inst/apps/*, /usr/bin/su - applvis -c */*EBSapps.env*perl */patch/115/bin/txkSetAppsConf.pl*contextfile*configoption*oacore*oafm*forms*formsc4ws*, /usr/bin/su - applvis -c rsync -aH --delete --ignore-errors */EBSapps/ */EBSapps/*, /usr/bin/su - applvis -c rm */serviceStartfile.tmp*, /usr/bin/su - applvis -c rm -rf */change_apps_password*, /usr/bin/su - applvis -c mkdir -p */change_apps_password*, /usr/bin/su - applvis -c */*.env* run; cd */change_apps_password*/fnd/12.0.0/bin/FNDCPASS*apps*system*SYSTEM APPLSYS*, /usr/bin/su - applvis -c */*.env* sqlplus *apps*, /usr/bin/su - applvis -c */*.env* rm -f */updateDSpwd.py*cat */updateDSpwd.py*, /usr/bin/su - applvis -c */*.env*/adautocfg.sh*, /usr/bin/su - applvis -c */*.env* rm -f */serverStateAll.py*cat*serverStateAll.py*, /usr/bin/su - applvis -c */*.env* run; */wlserver_10.3/common/bin/wlst.sh */updateDSpwd.py*, /usr/bin/su - applvis -c */*.env*; */wlserver_10.3/common/bin/wlst.sh */serverStateAll.py*, /usr/bin/su - applvis -c *lsof*, /usr/bin/su - applvis -c *sed *, /usr/bin/su - applvis -c */*.env*;*adapcctl.sh status*, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/ps, /usr/bin/su - applvis -c find*, /usr/bin/su - applvis -c cp *dlpx_force_autoflush.pm*, /usr/bin/su - applvis -c *perl -mdlpx_force_autoflush ./adcfgclone.pl appsTier*, /usr/bin/su - applvis -c cat*serverStateAll.py*, /usr/bin/su - applvis -c cat*updateDSpwd.py*, /usr/bin/su - applvis -c mkdir -p */pairsdir*, /usr/bin/su - applvis -c export PERL5LIB* cd *perl -mdlpx_force_autoflush *adpreclone.pl appsTier*, /usr/bin/su - applvis -c mv *scratch_file* *, /usr/bin/su - applvis -c pmap -r*, /usr/bin/su - applvis -c */*.env* patch; */wlserver_10.3/common/bin/wlst.sh */updateDSpwd.py*, /usr/bin/su - applvis -c */*.env* run; */adcmctl.sh status*, /usr/bin/su - applvis -c set -o pipefail; cat*tee */.*_pairs.txt*, /usr/bin/su - applvis -c chmod 755  */.*_pairs.txt*, /usr/bin/su - applvis -c *perl -mdlpx_force_autoflush */adcfgclone.pl*appsTier*, /usr/bin/su - applvis -c /usr/bin/netstat -an *, /usr/bin/mkdir, /usr/bin/rmdir, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/pargs, /usr/bin/ps, /usr/bin/netstat

Sudoers entry for AIX

Entries required for provisioning via high privileged user (oracle) on target EBS AppsTier/DBTier:

Copy 
Defaults:oracle !requiretty
oracle ALL=(ALL) NOPASSWD: /usr/sbin/mount, /usr/sbin/umount, /usr/sbin/nfso, /usr/bin/ps, /usr/bin/mkdir, /usr/bin/rmdir 

 

Entries required for provisioning via low privileged user (delphix_os) on target EBS AppsTier.

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oracle -c echo *, /usr/bin/su - oracle -c export *, /usr/bin/su - oracle -c test*mkdir*, /usr/bin/su - oracle -c test*touch*chmod 750*cat*, /usr/bin/su - oracle -c */EBS_kill/kill_script.sh*, /usr/bin/su - oracle -c rm -f */test_status.tmp*, /usr/bin/su - oracle -c ls*, /usr/bin/su - oracle -c if*, /usr/bin/su - oracle -c rm -f */dlpx_force_autoflush*, /usr/bin/su - oracle -c */*.env*bin/lsnrctl status*, /usr/bin/su - oracle -c */*.env*/addlnctl.sh*, /usr/bin/su - oracle -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su - oracle -c rm -rf */appsutil/clone/dbts*, /usr/bin/su - oracle -c */bin/runInstaller -silent -detachHome*, /usr/bin/su - oracle -c export PATH* export PERL5LIB*perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /usr/bin/su - oracle -c export PERL5LIB*perl -mdlpx_force_autoflush */adpreclone.pl dbTechStack*, /usr/bin/su - oracle -c cd *; make -f ins_rdbms.mk*ioracle*, /usr/bin/su - oracle -c cd *; make -f ins_rdbms.mk dnfs_off*, /usr/bin/su - oracle -c rm -f *bak, /usr/bin/su - oracle -c mv *, /usr/bin/su - oracle -c */*.env*sqlplus* as sysdba*, /usr/bin/su - oracle -c */*.env*perl */appsutil/clone/bin/adcfgclone.pl dbconfig*, /usr/bin/su - oracle -c */*.env*perl */appsutil/scripts/*/adpreclone.pl database*, /usr/bin/su - oracle -c sed*sqlnet.ora*, /usr/bin/su - oracle -c */*.env*sqlplus apps*, /usr/bin/su - oracle -c */*.env*; make -f *rdbms/lib/ins_rdbms.mk dnfs_off*, /usr/bin/su - oracle -c */*.env*; ln -s *, /usr/bin/su - oracle -c *txkSetCfgCDB.env*txkGenCDBTnsAdmin.pl*, /usr/bin/su - oracle -c */*.env*/adcdblnctl.sh*, /usr/bin/su - oracle -c */*.env*perl */appsutil/bin/txkCfgUtlfileDir.pl -contextfile*, /usr/bin/su - oracle -c */*.env* mkdir -p*, /usr/bin/su - oracle -c chmod 775 *dbs*, /usr/bin/su - oracle -c chmod 6751 */bin/oracle*, /usr/bin/su - oracle -c cp *dlpx_force_autoflush.pm*, /usr/bin/su - oracle -c chmod 755 */dlpx_force_autoflush*, /usr/bin/su - oracle -c mkdir -p*, /usr/bin/su - oracle -c cp *pairsfile*, /usr/bin/su - oracle -c *perl -mdlpx_force_autoflush */adclonectx.pl*, /usr/bin/su - oracle -c *perl -mdlpx_force_autoflush */adcfgclone.pl dbTechStack*, /usr/bin/su - oracle -c touch */.delphix_adpreclone.lck*, /usr/bin/su - oracle -c rm -f */.delphix_adpreclone.lck*, /usr/bin/su - oracle -c *hooksRunner*, /usr/bin/su - oracle -c *hooksUtil/lib/logger.sh*, /usr/bin/su - oracle -c chmod 755 *hooksUtil*,  /usr/bin/su - oracle -c set -o *hooksUtil*, /usr/bin/su - oracle -c mkdir *hooksUtil*, /usr/bin/mkdir, /usr/sbin/mount, /usr/sbin/umount, /usr/bin/ps, /usr/bin/netstat, /usr/bin/su - oracle -c *perl */appsutil/scripts/*/adpreclone.pl dbTier*, /usr/bin/su - oracle -c wc -c */adpreclone.pl*, /usr/bin/su - oracle -c cat*adpreclone.pl*, /usr/bin/su - oracle -c sed*adpreclone.pl*, /usr/bin/su - oracle -c cp*adpreclone.pl*, /usr/bin/su - oracle -c *adautocfg.sh*, /usr/bin/su - oracle -c cp*adcrdb.sh*, /usr/sbin/nfso

Entries required for linking via low privileged user (delphix_os) on source EBS AppsTier.

Copy 
Defaults:delphix_os !requiretty delphix_os ALL=NOPASSWD: \ 
/usr/bin/su - oracle -c rm -f */dlpx_force_autoflush*, \ 
/usr/bin/su - oracle -c cp *dlpx_force_autoflush.pm*, \ 
/usr/bin/su - oracle -c chmod 755 */dlpx_force_autoflush*, \ 
/usr/bin/su - oracle -c *perl */appsutil/scripts/*/adpreclone.pl dbTier*, \ 
/usr/bin/su - oracle -c *rsync */<ORACLE_BASE_PATH>/*, \ 
/usr/bin/ps

Minimum sudoers entry

End users prefer not to elevate each command individually; instead, they seek a straightforward method to elevate commands to a different user and grant the necessary privileges. This strategy reduces the burden to administer the lengthy & complex sudoers file.

The minimum sudoers entry needed on Source DBTier/AppsTier:

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oracle -c *

The minimum sudoers entry needed on Target DBTier/AppsTier:

Copy 
Defaults:delphix_os !requiretty
delphix_os ALL=NOPASSWD: /usr/bin/su - oracle -c *, /usr/sbin/nfso, /usr/bin/ps, /usr/bin/mkdir, /usr/bin/rmdir, /usr/sbin/mount, /usr/sbin/umount