In Oracle 11g, we can grant restricted access to the RMAN catalog to some users so that they can only access a limited set of databases that are registered in the RMAN catalog.
This is done by creating a Virtual Private Catalog which in turn will grant a particular user read/write access to only that user’s RMAN metadata. We can in this way create a number of multiple recovery catalog users each seeing only having access to a limited set of databases while the base recovery catalog owner has access to the entire metadata.
For example, in the RMAN catalog owned by user RMAN11D, there a a number of databases registered, but we would like to restrict access to the APEX database to a single user – RMAN_APEX.
So we need to first create a user in the database which houses the base RMAN catalog, grant that user the RECOVERY_CATALOG_OWNER role and then the ‘catalog for database …..’ privilege.
That user will then create a virtual catalog and when he connects to that catalog, we will see that he can only access the one database which he has been granted access for which is the APEX database.
The original RMAN catalog owner is RMAN11D – note the databases which are currently registered:
Create the Virtual Catalog User – RMAN_APEX
Connect to catalog as catalog owner and grant permissions on the one database – APEX
Connect now as the user RMAN_APEX and create the Virtual Private Catalog
If we connect as the original RMAN catalog owner we can see all the registered databases
Note that only one database is registered in this catalog when we connect as RMAN_APEX