FlexNet Manager Suite
2023 R1
(On-Premises)
The accounts and privileges required for direct collection of inventory data from an Oracle
database instance are relatively straight-forward. In addition to inventory collection, the
entire process must allow for the initial discovery of devices and their database
instances to query, and some discovery methods add their own requirements for credentials.
Using network discovery
This method of discovery requires two sets of credentials for discovery.
The first is an account that can be used to log into the target device and probe specified
ports to test for the presence of an Oracle Net Listener. This account must be registered in
the Password Manager on the inventory beacon responsible for discovery (and
subsequent inventory gathering).
Once a device has been discovered, and the Oracle Net Listener is known to exist on that
device, the listener must accept a remote connection and status request (that is, remote
administration). This request identifies the database instances (services) that the listener
knows about. (The listener password is required only for the case of network discovery,
since this is the only case that requires a remote administration connection to the
listener; in the other cases, the database instances are already identified without this
request.) This password must be registered in the secure
Password Manager on the
inventory beacon that is to complete the discovery and collect the database
inventory (only the password is required, and no account name is needed with this listener
password.)
Tip: If there are multiple listeners on the Oracle server and these
have multiple passwords, each password for listeners you will access must be recorded in
the Password Manager. These are not differentiated by any listener identification:
the FlexNet Beacon engine simply steps through each listener password in turn
until one works.
Note: This method of remote administration of the listener to
discover the available Oracle database instances has been barred from Oracle Database
version 12c onwards. To use direct inventory gathering with later versions of the
database, you must use one of the other discovery methods; and in those alternative
discovery methods, the listener's administrative password is not required. (Of course,
this is independent of the credentials for inventory gathering, described below, that are
required after discovery has been completed.)
Using tnsnames.ora
There are no special credentials required, other than the normal ones to get the
tnsnames.ora
in place on the
inventory beacon (for details see
Using tnsnames Discovery with Direct Inventory):
- If you are manually transferring a
tnsnames.ora
file from your Oracle
server, you need to log in to the inventory beacon with sufficient privileges to
access the file path (typically, with administrator privileges)
- If you are using the OEM adapter, this writes the
tnsnames.ora
file into the correct location, and the credentials
needed for the adapter are covered in FlexNet Manager Suite Inventory Adapters and Connectors Reference.
Using manually-created discovery device records
No additional credentials are required — an operator in a Role with sufficient privileges
to create the records does the data input, and these discovered device records are then
utilized automatically when required.
Using Amazon connector
There are no special requirements when using the Amazon connector to discover Oracle
Databases running in Amazon Relational Database Service (RDS). For details about running
the connector, see either of the following:
- The online help under and child topics
- The section on the AWS connector in FlexNet Manager Suite Inventory Adapters and Connectors Reference.
Credentials for inventory gathering
Regardless of the discovery method you use, direct inventory collection proceeds by having
the
inventory beacon connect to the listener requesting access to each
service/database instance (no listener password is required for this request). These
connection requests require the service name, the service user account, and the service
password for each Oracle database instance. The service user account:
- Is a member of the OS-specific ORADBA group (the local
ora_dba
security group on Windows platforms and the dba
group on UNIX-like
platforms)
- Has at least read-only permissions for all the tables and views needed for collecting
Oracle inventory (listed in Appendix C: Oracle Tables and Views for Oracle Inventory Collection)
- Has the user name and password registered in the secure Password Manager on the
inventory beacon that is to collect inventory from each database instance.
One potentially helpful practice is to use the same set of credentials on all target Oracle
servers as a special "audit account". This makes it easier to register a single set of
credentials in the
Password Managers on all applicable
inventory beacons, and to script creation of the account consistently across all your Oracle servers. If
you choose to use a common audit account across servers,
Flexera
provides a script to create and configure this database user. To get this script, log into
the
Flexera Community Knowledge Base at
https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/Script-to-create-an-Oracle-user-with-the-access-required-for/ta-p/1758.
Note: The sole purpose of creating this audit user is to
collect Oracle inventory. However, FlexNet Manager Suite counts it as a named user
while calculating license compliance for Oracle licenses. You can adjust the license
consumption for this user to avoid consuming license entitlements. Navigate to the page for each affected database instance and set the consumption for this
user to zero. For more information, see the associated online help.
FlexNet Manager Suite (On-Premises)
2023 R1