Scripting Node with Limited Privileges


In some environments, especially those requiring secure automation or API integration, it is desirable to have a lightweight dbWatch node dedicated to scripting tasks. This configuration uses a headless Control Center node running the CCC (Control Center Commandline) tool, with tightly controlled domain access and limited privileges.

This setup supports:


Typical Use Cases


Architecture Overview

A scripting node runs only the core dbWatch Control Center services necessary for domain authentication and CCC execution. It does not host a full GUI client, nor does it act as a monitoring node.

This node is configured in the domain with restricted roles and certificate routing controls. Firewall rules can ensure that only specific IP ranges or systems can communicate with it.


Installation and Setup

1. Install dbWatch Control Center on Target Node

Install the product using your platform’s guide:

Skip starting the GUI or adding monitoring roles. This node will act as a scripting node only.


2. Configure Node in the Domain

From an existing GUI client or server with full access:

Enable the certificate routing for the domain and configure the Internal Control Center Firewall to accept only whitelisted IPs or hosts.


Suggested Privileges for a Scripting Node

The following privileges should be assigned based on the specific CCC scripts intended to be used. Privileges can be scoped tightly using roles associated with nodes in the Security System or Domain Configuration.

Action CCC Script Required Privilege On Security Object
Add new instance add_instance.script Write Instance System
Register instance config register_instance.script Write Instance System
Retrieve instance config get_instance.script Read Instance
Install jobs jobs.script Write Instance
Set metadata metadata.script Configure Instance
Run FDL/USL scripts fdl.script Write Instance
Connect/disconnect instance instance_action.script Configure Instance

Note:

For the full list of actions and required privileges, refer to:


Assigning the Privileges

To create and assign a minimal-access role:

  1. Go to Domain Configuration > Roles
  2. Create a new role: `scripting-node`
  3. Assign the minimum required privileges as described above
  4. Go to Nodes and assign this role to the scripting node

Using the Scripting Node in Secure Topologies

In multi-node deployments, the scripting node can be configured to connect to a central domain via a cloud router.

Common features:

Read more:


Example Role XML Snippet

If editing the configuration manually, here’s an example role that can be adapted:

<role>
  <name>ccc-script-runner</name>
  <privilege>write_instance_system</privilege>
  <privilege>read_instance</privilege>
  <privilege>write_instance</privilege>
  <privilege>configure_instance</privilege>
</role>

This pattern enables you to automate and integrate dbWatch safely in production environments while retaining strong governance and traceability over every action executed.


3. Use CCC for Script Execution

On the scripting node, use the Control Center Commandline tool to trigger tasks.

Example: Running metadata update

Running Metadata Update with CCC

To apply metadata to a database instance using the command-line tool CCC, you must prepare a properties file containing your metadata keys and values. This file is then passed to the `metadata.script`.

1. Create the metadata definition file

Create a file named `metadata.properties` with the desired key-value pairs. For example:

env=prod
team=finance

2. Run the metadata update script

Use the following command syntax to apply the metadata:

./ccc.sh metadata.script --instanceName=mydb01 --definition=metadata.properties

Replace `mydb01` with the name of your database instance, and adjust the filename if you named your metadata file differently.

This approach ensures that the metadata is properly parsed and assigned by the CCC scripting engine. Directly passing metadata via a `--metadata=` flag is not supported by `metadata.script`.

Scripts are available in the following archive:

Refer to these pages for usage details: