Overview

This type allows you to manage a user inside an Oracle database.

It recognises most of the options that CREATE USER supports. Besides these options, you can also use this type to manage the grants and the quota’s for this user.

ora_user{user_name@sid:
  temporary_tablespace      => temp,
  default_tablespace        => 'my_app_ts',
  password                  => 'verysecret',
  require                   => Ora_tablespace['my_app_ts'],
  grants                    => ['SELECT ANY TABLE', 'CONNECT', 'CREATE TABLE', 'CREATE TRIGGER'],
  quotas                    => {
                                  "my_app_ts"  => 'unlimited'
                                },
}

Attributes

Attribute Name Short Description
common_granted The common grants you want to make sure are granted to the ora_user or ora_role.
common_granted_with_admin The common grants with admin you want to make sure are granted to the ora_user or ora_role.
common_grants Common grants for this user or role.
common_grants_with_admin Common grants for this user or role with admin.
common_revoked The common grants you want to make sure are revoked from the ora_user or ora_role.
common_revoked_with_admin The common grants you want to make sure are revoked from the ora_user or ora_role.
container Allows you to specify the scope of the object.
create_only The attributes from ora_user you only want to manage when you create a user.
default_roles The user’s default roles
   
default_tablespace The user’s default tablespace.
disable_corrective_change Disable the modification of a resource when Puppet decides it is a corrective change.
disable_corrective_ensure Disable the creation or removal of a resource when Puppet decides is a corrective change.
ensure The basic property that the resource should be in.
expired specified if the account is expired.
granted The grants you want to make sure are granted to the ora_user or ora_role.
granted_with_admin The grants with admin you want to make sure are granted to the ora_user or ora_role.
grants grants for this user or role.
grants_with_admin grants for this user or role.
ignore_oracle_maintained_warnings This is a parameter that can be used to skip generating warnings on changing or dropping Oracle managed users or roles.
locked specified if the account is locked.
name The user name.
oracle_maintained This is a read only property that cannot be used when specifying a user.
password The user’s password.
profile The user’s profile
   
provider resource.
quotas Quota’s for this user.
raw_password The user’s raw password.
revoked The grants you want to make sure are revoked from the ora_user or ora_role.
revoked_with_admin The grants you want to make sure are revoked from the ora_user or ora_role.
schema_only specify if the account is schema only, without password and cannot be logged in with.
sid SID to connect to.
temporary_tablespace The user’s temporary tablespace.
username The user name.

common_granted

The common grants you want to make sure are granted to the ora_user or ora_role.

This property is only functional when applied on container databases.

It is different from the common_grants property in the sense that this is not a full list of the rights, but just the rights that are granted to the user

Here is an example with an ora_user:

ora_user {'scott':
  ...
  common_granted => ['GRANT ANY ROLE'],
  ...
}

Here is an example with an ora_role:

ora_role {'app_dba_role':
  ...
  common_granted => ['GRANT ANY ROLE'],
  ...
}

Back to overview of ora_user

common_granted_with_admin

The common grants with admin you want to make sure are granted to the ora_user or ora_role.

This property is only functional when applied on container databases.

It is different from the common_grants_with_admin property in the sense that this is not a full list of the rights, but just the rights that are granted to the user

Here is an example with an ora_user:

ora_user {'scott':
  ...
  common_granted_with_admin => ['GRANT ANY ROLE'],
  ...
}

Here is an example with an ora_role:

ora_role {'app_dba_role':
  ...
  common_granted_with_admin => ['GRANT ANY ROLE'],
  ...
}

Back to overview of ora_user

common_grants

Common grants for this user or role.

This property is only functional when applied on container databases.

All the common grants this resource has. Here is an example on how to use this on an ora_user:

ora_user { ‘my_user@sid’: … common_grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Here is an example on how to use this on an ora_role:

ora_ora_role { ‘my_role@sid’: … common_grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Back to overview of ora_user

common_grants_with_admin

Common grants for this user or role with admin.

This property is only functional when applied on container databases.

All the common grants this resource has. Here is an example on how to use this on an ora_user:

ora_user { ‘my_user@sid’: … common_grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Here is an example on how to use this on an ora_role:

ora_ora_role { ‘my_role@sid’: … common_grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Back to overview of ora_user

common_revoked

The common grants you want to make sure are revoked from the ora_user or ora_role.

This property is only functional when applied on container databases.

It is different from the common_grants property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user

Here is an example when using ora_user:

ora_user {'scott':
  ...
  common_revoked => ['GRANT ANY ROLE'],
}

Here is an example when using ora_role:

ora_role {'scott':
  ...
  common_revoked => ['GRANT ANY ROLE'],
}

WARNING

When you us both the common_grants and common_revoked property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the common_revoked property are removed. This way ensuring the most secure configuration.

Back to overview of ora_user

common_revoked_with_admin

The common grants you want to make sure are revoked from the ora_user or ora_role.

This property is only functional when applied on container databases.

It is different from the grants property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user

Here is an example when using ora_user:

ora_user {'scott':
  ...
  common_revoked_with_admin => ['GRANT ANY ROLE'],
}

Here is an example when using ora_role:

ora_role {'scott':
  ...
  common_revoked_with_admin => ['GRANT ANY ROLE'],
}

WARNING

When you us both the common_grants and common_revoked property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the common_revoked property are removed. This way ensuring the most secure configuration.

Back to overview of ora_user

container

Allows you to specify the scope of the object.

This property is only supported on version 12 and higher. It allows you to specify if the user will be seen through all portable containers (e.g. global) of just in the current pluggable database.

You can use container on:

  • ora_user
  • ora_profile
  • ora_object_grant

Here is an example on how to use this:

ora_... { '...@sid':
  ...
  container       => 'local',
  ...
}

Valid values are local, common.

Back to overview of ora_user

create_only

The attributes from ora_user you only want to manage when you create a user. This is usefull when defining oracle iser accounts for REAL users. Users that are supposed to change the password and the account expirery. Here is an example:

ora_user {'scott':
  password    => 'secret',
  locked      => false,
  expired     => true,
  create_only => ['locked', 'expired', 'password']
}

When user scott doesn’t exists, it will be created as an expired account, with specified password. After the first run the properties locked expired and password are not updated anymore. Even when there is a difference between the manifest and reality.

Back to overview of ora_user

default_roles

The user’s default roles

Back to overview of ora_user

default_tablespace

The user’s default tablespace.

Back to overview of ora_user

disable_corrective_change

Disable the modification of a resource when Puppet decides it is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_change parameter, you can disable corrective changes on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ...
  disable_corrective_change => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not modify the resource and signal an error:

    Error: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/parameter: change from '10' to '20' failed: Corrective change present requested by catalog, but disabled by parameter disable_corrective_change. (corrective)

Back to overview of ora_user

disable_corrective_ensure

Disable the creation or removal of a resource when Puppet decides is a corrective change.

(requires easy_type V2.11.0 or higher)

When using a Puppet Server, Puppet knows about adaptive and corrective changes. A corrective change is when Puppet notices that the resource has changed, but the catalog has not changed. This can occur for example, when a user, by accident or willingly, changed something on the system that Puppet is managing. The normal Puppet process then repairs this and puts the resource back in the state as defined in the catalog. This process is precisely what you want most of the time, but not always. This can sometimes also occur when a hardware or network error occurs. Then Puppet cannot correctly determine the current state of the system and thinks the resource is changed, while in fact, it is not. Letting Puppet recreate remove or change the resource in these cases, is NOT wat you want.

Using the disable_corrective_ensure parameter, you can disable corrective ensure present or ensure absent actions on the current resource.

Here is an example of this:

crucial_resource {'be_carefull':
  ensure                    => 'present',
  ...
  disable_corrective_ensure => true,
  ...
}

When a corrective ensure does happen on the resource Puppet will not create or remove the resource and signal an error:

    Error: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure.
    Error: /Stage[main]/Main/Crucial_resource[be_carefull]/ensure: change from 'absent' to 'present' failed: Corrective ensure present requested by catalog, but disabled by parameter disable_corrective_ensure. (corrective)

Back to overview of ora_user

ensure

The basic property that the resource should be in.

Valid values are present, absent.

Back to overview of ora_user

expired

specified if the account is expired.

Valid values are true, false.

Back to overview of ora_user

granted

The grants you want to make sure are granted to the ora_user or ora_role. It is different from the grants property in the sense that this is not a full list of the rights, but just the rights that are granted to the user

Here is an example with an ora_user:

ora_user {'scott':
  ...
  granted => ['GRANT ANY ROLE'],
  ...
}

Here is an example with an ora_role:

ora_role {'app_dba_role':
  ...
  granted => ['GRANT ANY ROLE'],
  ...
}

**WARNING**

When you us both the `grants` and `granted` property, Puppet will give you a warning about conflicting values. In the end it **WILL** ensure
that the rights specified for the `revoked` property are removed. This way ensuring the most secure configuration.

Back to overview of ora_user

granted_with_admin

The grants with admin you want to make sure are granted to the ora_user or ora_role. It is different from the grants_with_admin property in the sense that this is not a full list of the rights, but just the rights that are granted to the user

Here is an example with an ora_user:

ora_user {'scott':
  ...
  granted_with_admin => ['GRANT ANY ROLE'],
  ...
}

Here is an example with an ora_role:

ora_role {'app_dba_role':
  ...
  granted_with_admin => ['GRANT ANY ROLE'],
  ...
}

Back to overview of ora_user

grants

grants for this user or role.

All the grants this resource has. Here is an example on how to use this on an ora_user:

ora_user { ‘my_user@sid’: … grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Here is an example on how to use this on an ora_role:

ora_ora_role { ‘my_role@sid’: … grants => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Back to overview of ora_user

grants_with_admin

grants for this user or role.

All the grants this resource has. Here is an example on how to use this on an ora_user:

ora_user { ‘my_user@sid’: … grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Here is an example on how to use this on an ora_role:

ora_ora_role { ‘my_role@sid’: … grants_with_admin => [‘UNLIMITED TABLESPACE’, ‘CREATE PUBLIC SYNONYM’]. … }

Back to overview of ora_user

ignore_oracle_maintained_warnings

This is a parameter that can be used to skip generating warnings on changing or dropping Oracle managed users or roles.

Back to overview of ora_user

locked

specified if the account is locked.

Valid values are true, false.

Back to overview of ora_user

name

The user name.

Back to overview of ora_user

oracle_maintained

This is a read only property that cannot be used when specifying a user.

Back to overview of ora_user

password

The user’s password.

Back to overview of ora_user

profile

The user’s profile

Back to overview of ora_user

provider

The specific backend to use for this ora_user resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.Available providers are:

simple
Manage Oracle users in an Oracle Database via regular SQL

Back to overview of ora_user

quotas

Quota’s for this user.

Back to overview of ora_user

raw_password

The user’s raw password.

Back to overview of ora_user

revoked

The grants you want to make sure are revoked from the ora_user or ora_role. It is different from the grants property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user

Here is an example when using ora_user:

ora_user {'scott':
  ...
  revoked => ['GRANT ANY ROLE'],
}

Here is an example when using ora_role:

ora_role {'scott':
  ...
  revoked => ['GRANT ANY ROLE'],
}

WARNING

When you us both the grants and revoked property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the revoked property are removed. This way ensuring the most secure configuration.

Back to overview of ora_user

revoked_with_admin

The grants you want to make sure are revoked from the ora_user or ora_role. It is different from the grants property in the sense that this is not a full list of the rights, but just the rights that are NOT granted to the user

Here is an example when using ora_user:

ora_user {'scott':
  ...
  revoked_with_admin => ['GRANT ANY ROLE'],
}

Here is an example when using ora_role:

ora_role {'scott':
  ...
  revoked_with_admin => ['GRANT ANY ROLE'],
}

WARNING

When you us both the grants_with_admin and revoked_with_admin property, Puppet will give you a warning about conflicting values. In the end it WILL ensure that the rights specified for the revoked_with_admin property are removed. This way ensuring the most secure configuration.

Back to overview of ora_user

schema_only

specify if the account is schema only, without password and cannot be logged in with.

Valid values are true, false.

Back to overview of ora_user

sid

SID to connect to.

All types have a name like resource@sid. The sid is optional. If you don’t specify the sid, the type will use the database from the /etc/ora_setting.yaml with the property default set to true. We advise you to either use @sid in all your manifests or leave it empty everywhere.

Back to overview of ora_user

temporary_tablespace

The user’s temporary tablespace.

Back to overview of ora_user

username

The user name.

Back to overview of ora_user