Liquibase Enterprise was formerly known as Datical DB.

Single-Schema Projects - Oracle Roles and Permissions

Owned by Former user (Deleted)
Last updated: Mar 09, 2022 by Former user (Deleted)
5 min read

Single-Schema Project Roles and Permissions

For single-schema projects the DATICAL_USER is the managed schema account.  At runtime, Datical will connect to the database as the owner of the managed schema to process and deploy code.  The DATABASECHANGELOG and DATABASECHANGELOGLOCK tables used to track and manage database changes are deployed into the managed schema.  The database schemas can be different across steps in the pipeline.


Database permissions for Datical are managed through Roles.  Three Datical Roles are needed:

  • DATICAL_SCHEMA_OWNER_ROLE - Required on all databases in the project.  Grants permissions to deploy objects.
  • DATICAL_PACKAGER_SCHEMA_OWNER_ROLE - Required only on the REF database in the project.  Grants additional permissions required to execute Datical packaging operations.
  • DATICAL_TRACK_ROLE - Required on all databases in the project.  Grants permissions to manage the database change log. 

DATICAL_SCHEMA_OWNER_ROLE

This role gives the Datical user the required permissions on all managed database objects.

DATICAL_ROLE_SCHEMA_OWNER
-- The following must be run as sysdba
-- SQL > conn / as sysdba

CREATE ROLE DATICAL_SCHEMA_OWNER_ROLE NOT IDENTIFIED;

GRANT CREATE SESSION TO DATICAL_SCHEMA_OWNER_ROLE;

-- Standard Object Permissions
GRANT CREATE TRIGGER TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE TABLESPACE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE SEQUENCE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE TABLE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE PROCEDURE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE SYNONYM TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE VIEW TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE TYPE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE MATERIALIZED VIEW TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE DATABASE LINK TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- Other, less common Object Permissions
GRANT CREATE ASSEMBLY TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE OPERATOR TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE EXTERNAL JOB TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE LIBRARY TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE JOB TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE CLUSTER TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE EVALUATION CONTEXT TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE RULE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE RULE SET TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE DIMENSION TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE ROLLBACK SEGMENT TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE CUBE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE CUBE DIMENSION TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE CUBE BUILD PROCESS TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE MEASURE FOLDER TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE MINING MODEL TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE INDEXTYPE TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT CREATE PROFILE TO DATICAL_SCHEMA_OWNER_ROLE;
  
-- Permissions for working with EDITIONING VIEWS 
-- Use ALTER <user> ENABLE EDITIONS on the user to enable editioning
GRANT CREATE ANY EDITION TO DATICAL_SCHEMA_OWNER_ROLE;
GRANT DROP ANY EDITION TO DATICAL_SCHEMA_OWNER_ROLE;

-- Permissions That Are Not Recommended
-- GRANT CREATE PUBLIC SYNONYM TO DATICAL_SCHEMA_OWNER_ROLE;
-- GRANT CREATE PUBLIC DATABASE LINK TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- Permissions required to run the AUTO GENERATED PERMISSIONS feature
GRANT SELECT ANY DICTIONARY TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- Alternatively, this should be the more restrictive set of GRANTs that are needed for AUTO GENERATED PERMISSIONS:
-- GRANT SELECT ON DBA_SYS_PRIVS TO DATICAL_SCHEMA_OWNER_ROLE;
-- GRANT SELECT ON DBA_ROLE_PRIVS TO DATICAL_SCHEMA_OWNER_ROLE;
-- GRANT SELECT ON DBA_COL_PRIVS TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- Gather metadata (forecast/snapshot/diff)
-- If we change the code to use the "USER" instead of the "DBA" views for snapshots in single user schema owner mode, then this permission could go away.
GRANT SELECT_CATALOG_ROLE TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- OPTIONAL 
-- Permission so Datical can check if the database is 12c but is running in 11g compatible mode
-- This needs to be executed as SYSDBA
GRANT SELECT ON V_$PARAMETER TO DATICAL_SCHEMA_OWNER_ROLE;
 
-- Permissions needed to capture storage options
GRANT EXECUTE ON SYS.UTL_FILE TO DATICAL_SCHEMA_OWNER_ROLE;


DATICAL_PACKAGER_SCHEMA_OWNER_ROLE

This role adds permissions needed to perform packaging. Use it only for the REF database (project step). 

DATICAL_PACKAGER_SCHEMA_OWNER
CREATE ROLE DATICAL_PACKAGER_SCHEMA_OWNER_ROLE NOT IDENTIFIED;

-- When using the tracefileLocation=REMOTE, you will need to setup the following permissions.
-- Note: These permissions are only required on schemas running the Convert SQL Scripts command.  This is only needed on the packaging / reference database.
GRANT ALTER SESSION TO DATICAL_PACKAGER_SCHEMA_OWNER_ROLE;

-- The following permissions are needed for backing up and restoring the database.  This is only needed on the packaging / reference database.
GRANT EXP_FULL_DATABASE TO DATICAL_PACKAGER_SCHEMA_OWNER_ROLE;
GRANT IMP_FULL_DATABASE TO DATICAL_PACKAGER_SCHEMA_OWNER_ROLE;

-- The following permission is required if you you have Data Vault installed. This is only needed on the packaging / reference database.
GRANT BECOME USER TO DATICAL_PACKAGER_SCHEMA_OWNER_ROLE;

DATICAL_TRACK_ROLE

This role should be managed separately. There are some overlaps with permissions in the DATICAL_SCHEMA_OWNER_ROLE.

DATICAL_TRACK_ROLE
CREATE ROLE DATICAL_TRACK_ROLE NOT IDENTIFIED;

-- will create 2 tables - DATABASECHANGELOG and DATABASECHANGELOGLOCK
-- will insert records
grant create session,
  create procedure, create sequence, create table, create trigger, create type,
  create synonym, create view,
  create cluster, create indextype, create operator
to DATICAL_TRACK_ROLE;

DATICAL_DATAPUMP_DIR Creation

Datical uses datapump as the default mechanism to backup and restore database schemas during Packaging.  The DATICAL_DATAPUMP_DIR is only needed on the REF databases.  Edit the script to set the path for the DATICAL_DATAPUMP_DIR to an appropriate location on the database server.

DATICAL_DATAPUMP_DIR
-- Modify this to set the appropriate directory path.
CREATE OR REPLACE DIRECTORY DATICAL_DATAPUMP_DIR AS '&PathToDatapumpDir';

To use Data Pump in an Oracle RAC configuration, you must ensure that the directory object path (DATICAL_DATAPUMP_DIR by default) is on a cluster-wide file system.  The directory object must point to shared physical storage that is visible to, and accessible from, all instances where Data Pump and/or external tables processes may run. 

TRACE_FILE_DIR Creation

When using the tracefileLocation=remote option, the following directory object must be created.  It is needed on the REF database only.

TRACE_FILE_DIR
-- Modify this to set the appropriate directory path.
CREATE OR REPLACE DIRECTORY TRACE_FILE_DIR AS '&PathToTracefileDir';

Granting Roles and Permissions

Grant the roles to the managed schema account.  Modify the script to grant the schema owner unlimited tablespace based upon your company policy and tablespace configuration.

REF Database Roles and Permissions
-- Permissions for REF databases.
-- Modify this to set the appropriate account name for your SchemaOwner account.
GRANT DATICAL_SCHEMA_OWNER_ROLE TO &SchemaOwner;
GRANT DATICAL_PACKAGER_SCHEMA_OWNER ROLE to &SchemaOwner:

-- Directory permissions cannot be granted by a ROLE because the directory is checked through the utl_file.file_exists function.
GRANT READ, WRITE ON DIRECTORY DATICAL_DATAPUMP_DIR TO &SchemaOwner;
GRANT ALL ON DIRECTORY TRACE_FILE_DIR TO &SchemaOwner;

GRANT DATICAL_TRACK_ROLE TO &SchemaOwner;

-- Unlimited tablespace access
-- GRANT UNLIMITED TABLESPACE TO &SchemaOwner;
 -- –or-
-- Grant access to one or more specified tablespaces
-- ALTER USER &SchemaOwner QUOTA UNLIMITED ON &TablespaceName;


non-REF Database Roles and Permissions
-- Permissions for non-REF databases.
-- Modify this to set the appropriate account name for your SchemaOwner account.
GRANT DATICAL_SCHEMA_OWNER_ROLE TO &SchemaOwner;
GRANT DATICAL_TRACK_ROLE TO &SchemaOwner;

-- Unlimited tablespace access
-- GRANT UNLIMITED TABLESPACE TO &SchemaOwner;
 -- –or-
-- Grant access to one or more specified tablespaces
-- ALTER USER &SchemaOwner QUOTA UNLIMITED ON &SchemaOwner;


 The roles granted to SchemaOwner must be DEFAULT roles.  Be sure to validate that the accounts have all the required DEFAULT roles.

Validate Default Roles
-- Verify permissions.
-- Modify this to set the appropriate account name for your SchemaOwner accounts.

select grantee, granted_role, default_role from dba_role_privs where grantee = '&SchemaOwner' order by 1;

-- If DEFAULT_ROLE is not YES.  Execute the following.
alter user &SchemaOwner default role DATICAL_ROLE;
alter user &SchemaOwner default role DATICAL_PACKAGER_ROLE;  /* REF database only */
alter user &SchemaOwner default role DATICAL_TRACK_ROLE;

-- Verify READ/WRITE permissions exist on the DATICAL_DATAPUMP_DIR (REF database only).
select table_name, privilege from DBA_TAB_PRIVS where grantee = '&SchemaOwner';

Packaging Requirement for Exclusive Connection

Packaging requires that no other schema-owner users are connected to the database. 

  • Deployment Packager checks for connections to the REF database at the beginning of a packaging operation. Packaging stops and reports an error if there are other active connections. 
  • During packaging, if a schema-owner user attempts to connect to the database, packager warns and may stop. 

Deployment packager drops all objects in the SchemaOwner account before doing a restore.  If there are other connections to the SchemaOwner, they may interfere with the process.

Copyright © Liquibase 2012-2022 - Proprietary and Confidential