One of the most overlooked tasks that can become an issue outside of your RDBMS environment is managing your Oracle customer support identifier (CSIs). CSIs are added to your support.oracle.com account. They allow you to perform activities from creating a service request or looking up information in a global knowledge database. When a CSI is added to an account for the first time, the person applying automatically becomes the main administrator for the CSI.
While it makes sense that a manager/supervisor would become the administrator for a CSI, this is where things often take a turn for the worse. This is because a manager/supervisor is less likely to be the one actually creating a service request or assigning accounts to services such as Oracle Enterprise Manager or Oracle Secure Backup Web Services. Also, what happens when a manager/supervisor retires or leaves their position for a new one? Often the administrator privilege is not passed to a new employee, which puts your account at risk. How? It leaves you unable to make account information changes to your systems or users in Oracle’s CSI Administrator portal.
If there is no one with administrator access, new employees cannot be granted access to your CSI, old employees cannot be removed from a CSI and changes to SR level data cannot be modified. Allowing old employees access to your CSI also poses a security threat if said user has administrative rights.
Oracle Customer Support Identifier Best Practices
To mitigate these issues, I recommend the following best practices to make sure you do not run into any CSI issues:
- Make all users of a database administration group CSI administrators – This makes sure your company will always have access to make CSI changes even if any one of the employees leave.
- Set account expiration dates on your accounts if a user is leaving – This will automatically disable a user’s access to your CSI.
- Create a service account that only has USER level access to your CSI. This account can be used to connect such services as Oracle’s Enterprise Manager or Oracle Secure Backup Web Services module. A service account allows first- and third-party services to continue to operate even when an employee leaves.
If you are looking for a best-practice approach to on-site or remote DBA services, contact Buda Consulting. Our experienced staff of certified Oracle professionals can address all your DBA requirements.
This post was written by Willie Gray, a member of Buda Consulting’s DBA team.