Database Consultant (Passionate about Database & Cloud Technologies)

Database Architect,Core DBA ,APPSDBA,Mysql DBA,MongoDB,PostgreSQL,MariaDB,Installations,Upgrades on all Flavors of UNIX (LINUX,SOLARIS,HP(AIX)). Oracle E-Business Suite R12 (Upgrades,Patching,Cloning) AWS upgrades and implementation expert. OCI (Oracle Cloud Infrastructure) Architect, Exadata (Oracle Database Exadata Cloud at Customer(Exacc)),Superclusters ,Autonomous Databases, AWS RDS Customs , Sql Tuning Expert. ***Never Stop sharing,Learning and Growing***

Friday, May 15, 2026

Oracle EBS R12: Create User & Assign Responsibility — Step-by-Step DBA Guide with SQL Verification

Oracle EBS R12 — Create User & Assign Responsibility | Punit Oracle DBA

Oracle EBS R12 · Security Series

Create User & Assign Responsibility
in Oracle EBS R12

A complete step-by-step DBA guide — from login to SQL verification, with field tables, tips, and production-tested queries.

Punit Oracle DBA May 2026 8 min read EBS Security · FND_USER · System Administrator

Managing Oracle E-Business Suite R12 user accounts is one of the most frequent tasks for an EBS DBA. Whether onboarding a new employee or extending access for an existing user, knowing the exact steps — and how to verify them at the database level — keeps your environment secure, auditable, and well-documented.

This guide walks through all 10 steps: from System Administrator login to ticket closure, with field references, SQL verification queries, and real-world DBA tips throughout.

✓ Prerequisites

You have System Administrator responsibility assigned to your login
You know the responsibility name(s) to assign to the new user
Employee record exists in HR (if linking the user to a Person)
User's email address is available for workflow notifications
Password policy is reviewed and agreed with your security team

💡

DBA Pre-check Always query FND_USER before creating to avoid duplicates. A user already exists if end_date is null or in the future — just reactivate instead of creating new.

SQL — Pre-check

-- Check if user already exists before creating
SELECT user_id, user_name, start_date, end_date
FROM   fnd_user
WHERE  user_name = 'JSMITH';

⚡ Step-by-Step Guide

Open Oracle EBS in your browser and authenticate with your named DBA account. Select the System Administrator responsibility from the list.

1 Open your browser and navigate to the Oracle EBS R12 login URL (e.g., http://<host>:<port>/OA_HTML/AppsLogin)

2 Enter your named DBA credentials — username and password

3 From the responsibility list, click System Administrator

4 Confirm the Oracle Applications Navigator loads correctly

🔒

SecurityNever use a shared admin account. Always use a named account for a clean audit trail — this is a top requirement in SOX and internal audit reviews.

Navigate to the Users Form Security → User → Define

From the System Administrator responsibility, navigate through the menu to open the Users definition form (FNDSCAUS).

Navigation Path

Navigator  →  Security  →  User  →  Define

1 Click the Navigator icon or menu at the top of the screen

2 Expand Security in the left-hand tree panel

3 Expand User, then click Define

4 The Users form (FNDSCAUS) opens — this is an Oracle Forms screen

⌨️

ShortcutIn some EBS configurations you can type FNDSCAUS directly into the Navigator search bar to open the form immediately.

⚠️

Forms EnvironmentThis is an Oracle Forms-based screen. Ensure your browser has Java Plugin / Oracle Forms Webstart configured, or that the Forms Applet is running correctly.

Enter User Header Details Users Form — Header Block

Fill in all required fields in the top section of the Users form. These define the user's identity, access window, and notification channel.

Field	Value / Example	Status
User Name	JSMITH	Required
Password	Welcome#123	Required
Description	John Smith – AP Clerk	Optional
Email Address	jsmith@company.com	Required
Password Expiration	90 Days	Per Policy
Start Date	Today's Date	Required
End Date	(Leave blank)	Blank = Active

🔑

Password TipThe user will be prompted to change their password on first login. Check FND_PROFILE password complexity settings before assigning an initial password.

Link Employee / Person (Recommended) Person Field — LOV (F9)

Linking the user to an HR person record is required for Self-Service HR, iExpense, iProcurement, and workflow notification routing. Always link when an employee record exists.

1 Click in the Person field in the Users form header area

2 Press F9 or click the LOV icon — the List of Values popup opens

3 Search by last name — type %Smith% and press Find

4 Select the correct person and verify the employee number matches HR records

🗄️

Verify in DB FirstAlways confirm the employee record is active in PER_ALL_PEOPLE_F before linking.

SQL — Verify Employee

SELECT full_name, employee_number, effective_start_date
FROM   per_all_people_f
WHERE  last_name LIKE '%SMITH%'
AND    SYSDATE BETWEEN effective_start_date
               AND NVL(effective_end_date, SYSDATE);

Assign Responsibilities Responsibilities Block — LOV (F9)

Responsibilities control what the user can see and do inside EBS. Each responsibility maps to a menu, security group, and application. Scroll to the lower block of the Users form to assign them.

1 Scroll to the Responsibilities block in the lower half of the Users form

2 Click in the Responsibility Name field in the first blank row

3 Press F9 — search using a partial name like %AP% or %Payables%

4 Select the responsibility — Application and Security Group auto-populate

5 Set the From Date (today's date or the user's start date)

6 Leave To Date blank for indefinite access, or set a date for temporary access

7 Repeat for each additional responsibility — add a new row for each one needed

Field	Value / Example	Status
Responsibility Name	AP Manager	Required
Application	Payables	Auto-filled
Security Group	Standard	Auto-filled
From Date	Today's Date	Required
To Date	(Leave blank)	Optional

⚠️

Least PrivilegeAssign ONLY the responsibilities the user requires. Over-privileged accounts are the most common finding in Oracle EBS security audits. When in doubt, consult the business process owner.

Save the Record Ctrl+S / Save Icon

Commit all changes to the database. Confirm the status bar shows a successful save message before proceeding.

1 Click the Save icon (floppy disk) in the toolbar, or press Ctrl+S

2 Confirm the status bar shows: Transaction complete: 1 records applied and saved

3 Note the user_id for documentation and SQL verification

✅

Best PracticeAlways verify the commit immediately using SQL. Do not assume the save was successful without querying the database — always confirm at the data layer.

Verify via SQL FND_USER · FND_USER_RESP_GROUPS_ALL

Run these two queries immediately after saving to confirm the user record and responsibility assignments are correctly committed to the database.

SQL — Verify User Record

-- Confirm user was created successfully
SELECT user_id, user_name, email_address,
       start_date, end_date, person_party_id
FROM   fnd_user
WHERE  user_name = 'JSMITH';

SQL — Verify Responsibilities Assigned

-- Confirm all responsibilities are assigned with correct dates
SELECT fu.user_name,
       fr.responsibility_name,
       fur.start_date,
       fur.end_date
FROM   fnd_user_resp_groups_all  fur,
       fnd_user                  fu,
       fnd_responsibility_tl     fr
WHERE  fu.user_id           = fur.user_id
AND   fur.responsibility_id = fr.responsibility_id
AND   fu.user_name         = 'JSMITH'
AND   fr.language          = 'US';

📊

Expected ResultYou should see one row in FND_USER with a null end_date, and one row per responsibility in FND_USER_RESP_GROUPS_ALL with the correct start_date.

Test the User Login End-to-End Validation

Login as the new user in a separate browser session to confirm everything is working end-to-end before closing the ticket.

1 Open EBS in a separate browser / incognito window

2 Login as the new user with the initial password

3 Confirm the password-change prompt appears on first login

4 Verify the assigned responsibilities appear in the Navigator

5 Click into one responsibility and confirm the menu loads correctly

Set Profile Options System Administrator → Profile → System

For multi-org environments or module-specific access, set these profile options at the user level. Navigate via System Administrator → Profile → System, query the user, and update accordingly.

Profile Option	Typical Value	When Required
MO: Operating Unit	Vision Operations	Multi-org setups
GL: Ledger Name	Vision Operations (USD)	GL module access
HR: User Type	Full Access	SSHR / HR access
ICX: Language	American English	Non-default language

Document & Close the Ticket ITSM / Audit Compliance

Every user creation must be documented for SOX, internal audit, or IT governance. Log the change with full details before closing the ticket.

1 Log the ticket in your ITSM system (JIRA, ServiceNow) with the user_id and responsibilities assigned

2 Record the creation date, requestor name, and approver name

3 Attach the access request approval email or form

4 Notify the user and their team lead that access is active

5 Set a reminder to review and revoke access when the employee leaves

🔴

Offboarding CriticalWhen a user leaves, set the end_date on the FND_USER record AND on each responsibility row immediately. Dormant active accounts are a top audit finding in Oracle EBS environments.

🗄️ Key Database Tables

Table Name	Purpose
FND_USER	All EBS application users — username, password hash, email, start/end dates
FND_USER_RESP_GROUPS_ALL	Links users to responsibilities with effective date ranges
FND_RESPONSIBILITY_TL	Translatable responsibility names and descriptions
FND_RESPONSIBILITY	Responsibility definitions — menu, data group, security group
PER_ALL_PEOPLE_F	HR person records — used when linking a user to an employee
FND_PROFILE_OPTION_VALUES	Profile option values at all levels including user level

📋 Post-Creation Checklist

User record visible in FND_USER with correct start date and null end date

All responsibilities appear in FND_USER_RESP_GROUPS_ALL with correct dates

User can login successfully and sees all assigned responsibilities

Password change prompt appeared on first login

Profile options set correctly for operating unit and ledger

Ticket logged with user_id, responsibilities, requestor, and approver

User and team lead notified — access is active and ready

💬 Final Thoughts

User creation in Oracle EBS R12 looks simple on the surface — but getting it right means linking the HR person, assigning the correct responsibilities, verifying at the database level, and documenting for audit. That difference separates a reactive DBA from a proactive one.

The SQL queries in this guide take 30 seconds to run and save hours of troubleshooting if something goes wrong. Make them part of every user creation workflow.

🤝

ConnectFound this helpful? Share it with your Oracle DBA team. Questions or a scenario you've encountered? Drop them in the comments — I read and reply to every one. Follow punitoracledba.blogspot.com for more EBS DBA guides.

Tuesday, May 12, 2026

How to Enable HTTPS on Oracle EBS R12.2

punitoracledba.blogspot.com · EBS R12.2 + Okta SSO Series ·

SSL / HTTPS · Phase 1 Prerequisite

How to Enable HTTPS on Oracle EBS R12.2 — Step by Step

Before Okta SSO can work, your EBS environment needs HTTPS. This guide covers Oracle Wallet creation, OHS configuration, and going live on port 443 — with exact commands for your environment.

punitoracledba · EBS R12.2.13 · RHEL 8 · OHS 12.2.x · ~10 min read

EBS R12.2.13 + Okta SSO Implementation

Why HTTPS First?

Okta is a cloud-based Identity Provider (IdP) that communicates over SAML 2.0. Every SAML assertion it sends contains sensitive authentication tokens. Without HTTPS, those tokens travel in plain text — and Okta simply refuses to integrate with HTTP endpoints. No SSL = no SSO. Full stop.

In this post, we configure HTTPS on Oracle HTTP Server (OHS) for EBS R12.2.13 running on RHEL 8, using an Oracle Wallet with a self-signed certificate on port 443.

Note: For production environments, replace the self-signed certificate with one from your internal CA or a trusted CA (DigiCert, Sectigo, etc.). All other steps remain identical.

Environment Reference

Component	Value
Application server	`pc.app.com`
Database server	`pc.db.com : 1533`
Current EBS URL	`http://pc.app.com:8012`
Target HTTPS URL	`https://pc.app.com:443`
OS	RHEL 8
OHS version	OHS 12.2.x (EBS R12.2.13)
Certificate type	Self-signed (lab/dev)

Step 1

Locate Your OHS Instance & Wallet Directory

bash — find OHS paths

echo $INST_TOP

find $INST_TOP -name "cwallet.sso" 2>/dev/null
find $INST_TOP -name "wallet" -type d 2>/dev/null

Typical wallet location:

$INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default/

Step 2

Verify orapki Is Available

EBS R12.2 OHS uses the Oracle Wallet — not openssl. The tool is orapki.

bash — verify orapki

export PATH=$ORACLE_HOME/bin:$PATH
which orapki
orapki version

Tip: If orapki is not found, source your EBS env file:
source $INST_TOP/ora/10.1.3/Apache/Apache/bin/envvar.sh

Step 3

Create the Oracle Wallet

bash — create wallet directory

mkdir -p $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default
cd $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default

bash — create wallet with auto-login

orapki wallet create \
  -wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
  -pwd WalletPasswd123 \
  -auto_login

The -auto_login flag creates cwallet.sso — allows OHS to start without a password prompt on server restarts.

Step 4

Generate the Self-Signed Certificate

bash — add self-signed certificate (10-year validity)

orapki wallet add \
  -wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
  -pwd WalletPasswd123 \
  -dn "CN=pc.app.com,OU=IT,O=YourOrg,L=City,ST=State,C=US" \
  -keysize 2048 \
  -self_signed \
  -validity 3650

Verify the certificate was added:

bash — display wallet contents

orapki wallet display \
  -wallet $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default \
  -pwd WalletPasswd123

expected output

User Certificates:
Subject: CN=pc.app.com,OU=IT,O=YourOrg,L=City,ST=State,C=US

Step 5

Configure ssl.conf for Port 443

bash — backup and edit ssl.conf

cp $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf \
   $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf.bkp_$(date +%Y%m%d)

vi $INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.conf

Set these key directives inside ssl.conf:

ssl.conf — key settings

Listen 443
SSLEngine on

<VirtualHost pc.app.com:443>
  ServerName pc.app.com:443
  SSLWallet "$INST_TOP/ora/10.1.3/Apache/Apache/conf/ssl.wlt/default"
  SSLProtocol TLSv1.2
  SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

Always back up config files before editing. The $(date +%Y%m%d) suffix keeps backups organised by date.

Step 6

Update httpd.conf

httpd.conf — verify these lines exist

Listen 80
Listen 443
Include conf/ssl.conf

Step 7

Update EBS Context File & Run AutoConfig

This is the step most DBAs miss. The context file drives all generated EBS configuration. Skip this and your EBS URLs will still point to HTTP even after OHS is serving HTTPS.

context file — update these parameters

<s_webentryhost>pc.app.com</s_webentryhost>
<s_webentryurlport>443</s_webentryurlport>
<s_login_page>https://pc.app.com:443/OA_HTML/AppsLocalLogin.jsp</s_login_page>
<s_external_url>https://pc.app.com:443</s_external_url>

bash — run AutoConfig

cd $ADMIN_SCRIPTS_HOME
./adautocfg.sh

Step 8

Open Port 443 on RHEL 8 Firewall

bash — firewalld + SELinux

sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

# If SELinux is Enforcing
getenforce
sudo semanage port -a -t http_port_t -p tcp 443

Step 9

Bounce OHS & Test HTTPS

bash — restart and verify

$ADMIN_SCRIPTS_HOME/adapcctl.sh stop
$ADMIN_SCRIPTS_HOME/adapcctl.sh start
$ADMIN_SCRIPTS_HOME/adapcctl.sh status

# Test HTTPS (-k bypasses self-signed cert warning)
curl -k -I https://pc.app.com/OA_HTML/AppsLocalLogin.jsp

Expected result: HTTP/1.1 200 OK — HTTPS is live!

Final Verification Checklist

Check	Command	Expected
Wallet created	`ls ssl.wlt/default/`	✓ cwallet.sso + ewallet.p12
Certificate added	`orapki wallet display`	✓ CN=pc.app.com
OHS running	`adapcctl.sh status`	✓ Running
Port 443 open	`curl -k https://pc.app.com`	✓ HTTP 200 OK
AutoConfig done	`adautocfg.sh`	✓ Completed
Context file updated	`grep 443 $CONTEXT_FILE`	✓ Shows port 443

What's Next?

With HTTPS confirmed on https://pc.app.com, your environment is ready to receive Okta SAML assertions securely. In Part 2 of this series, we deploy the Oracle EBS Asserter on WebLogic — the middleware that translates Okta's SAML token into an EBS session.

Hit any issues? Drop a comment with the error message and I'll help troubleshoot.

Oracle EBS R12.2 HTTPS OHS Oracle Wallet orapki SSL Okta SSO RHEL 8

Written by

punitoracledba

Oracle DBA Specialist Lead | Oracle EBS DBA | AWS & AI Learner. Turning real-world database experience into practical knowledge. Follow the full EBS R12.2 + Okta SSO series at punitoracledba.blogspot.com

Sunday, May 10, 2026

Oracle Skills GitHub Repository – The Future of AI-Assisted Oracle DBA Operations

ORACLE / SKILLS · GITHUB

Oracle Skills GitHub Repository

The Future of AI-Assisted Oracle DBA Operations

Oracle Skills is a practical GitHub repository designed to help DBAs, developers, and AI agents use structured, source-backed Oracle knowledge for real-world database operations.

Visit Official GitHub Repository

What is Oracle Skills?

Oracle Skills is a curated collection of practical, installable skills for Oracle technologies. It provides reusable guidance for database administration, SQL development, performance tuning, security, monitoring, migrations, DevOps, Oracle Cloud, APEX, Fusion, and GraalVM.

Official Repository:
https://github.com/oracle/skills

Why This Matters for Oracle DBAs

Traditionally, DBAs depend on MOS notes, internal SOPs, SQL scripts, documentation, and personal experience. Oracle Skills introduces a structured model where AI assistants and automation tools can use predefined, version-aware Oracle guidance.

This helps DBAs troubleshoot faster, reduce repeated manual effort, and create more consistent operational workflows.

Key Skill Domains

Domain	Purpose
Admin	Startup, backup, RMAN, patching, tablespaces, maintenance
Performance	AWR, ASH, SQL tuning, wait events, execution plans
Security	Auditing, privileges, encryption, hardening
Monitoring	Database health checks, alerts, diagnostics
Migrations	Upgrade planning, migration approach, cross-version guidance
DevOps	CI/CD, automation, database lifecycle workflows
OCI	Oracle Cloud Infrastructure related operations
APEX / ORDS	Application development and REST services guidance

Simple Example

Instead of manually searching documentation or creating SQL from scratch, a DBA can ask an AI assistant:

Find top SQL statements consuming CPU in the database.

The AI assistant can then use the relevant Oracle skill to provide more accurate and structured guidance.

Installation Example

# Install Oracle Database skills
npx skills add oracle/skills/db

# Install GraalVM skills
npx skills add oracle/skills/graal

How This Helps Oracle EBS DBAs

For Oracle E-Business Suite DBAs, the same concept can become very useful for structured troubleshooting and operational runbooks.

ADOP troubleshooting
Concurrent Manager checks
Workflow Mailer validation
Invalid object analysis
Tablespace growth monitoring
Database performance diagnostics
Patch readiness validation
Data Guard and DR checks

Important Point:

AI will not replace strong Oracle fundamentals. But DBAs who combine Oracle knowledge, automation, cloud, and AI-assisted workflows will become more productive and valuable.

Future DBA Skillset

Oracle Database fundamentals
Performance tuning and troubleshooting
Backup, recovery, and DR knowledge
Cloud and automation skills
AI-assisted database operations
Reusable SOP and runbook creation

My Final Thoughts

Oracle Skills is not just another GitHub repository. It represents the direction in which Oracle database operations are moving — structured, source-backed, reusable, and AI-assisted.

For Oracle DBAs, Apps DBAs, Cloud DBAs, and developers, this is the right time to explore how AI-assisted skills can improve daily database operations.

Official Reference

Oracle Skills GitHub Repository

Written by Punit Kumar | Oracle DBA | Oracle EBS DBA | Cloud & AI Learning Journey
punitoracledba.blogspot.com

Saturday, May 9, 2026

MariaDB DBA Playbook: Architecture, Performance Tuning & Automation Scripts

MariaDB for DBAs: Architecture, Performance Tuning & Real-World Scripts | DBA Chronicles

📘 DBA Reference Guide · May 2026

MariaDB for DBAs: Architecture, Performance Tuning & Real-World Scripts

A field-tested MariaDB playbook for Oracle, MySQL, and cloud DBAs covering architecture internals, essential commands, performance tuning, security hardening, backup strategy, and automation scripts.

Written by Punit Kumar — Oracle EBS DBA · Cloud DBA · AWS · AI Learner

⏱ 22 min read • MariaDB 10.11 / 11.x • DBA MariaDB Performance Security

🎯

Why This Guide?

This guide is created from a real DBA point of view. It is not only a command list — it is a practical field reference for understanding MariaDB architecture, operating production databases, tuning performance, securing access, and automating daily DBA tasks.

💡 DBA Perspective If you are coming from an Oracle DBA, MySQL DBA, or cloud database background, MariaDB becomes easier when you understand three areas clearly: storage engines, InnoDB behavior, and replication/backup strategy.

⚖️

Oracle DBA View: Oracle vs MariaDB

For Oracle DBAs, MariaDB may look simple at first, but it has its own architecture, memory model, optimizer behavior, replication style, and storage engine flexibility. The table below helps map familiar Oracle concepts to MariaDB concepts.

Area	Oracle	MariaDB	DBA Note
Primary storage	Tablespaces / datafiles	InnoDB tablespaces / .ibd files	MariaDB often uses file-per-table with InnoDB.
Redo	Online redo logs	InnoDB redo log	Critical for crash recovery and write performance.
Undo / MVCC	Undo tablespace	Undo logs in InnoDB	Needed for consistent reads and rollback.
Optimizer	CBO with stats	Cost-based optimizer with table/index stats	`EXPLAIN`, `ANALYZE`, and index design are key.
Flashback style	Flashback Query / FDA	System-versioned tables	Useful for audit/history use cases.
HA / replication	Data Guard / GoldenGate / RAC	Binary log replication / GTID / Galera	Design depends on RPO/RTO and workload.
Backup	RMAN	mariabackup / mysqldump	Always test restore, not only backup success.

⚠️ Real DBA Insight Do not treat MariaDB as “just MySQL commands.” Production stability depends on the right engine, right indexing strategy, tested backup, secure grants, and well-designed replication.

🏛

MariaDB Architecture

MariaDB is a community-driven fork of MySQL offering a fully pluggable storage engine architecture, enhanced replication (Galera, GTID), and features like temporal tables, virtual columns, and JSON functions — all production-ready for OLTP and analytical workloads.

Storage Engine Comparison

InnoDB

Default engine. ACID-compliant, MVCC row-level locking, foreign keys, crash recovery. Best for OLTP.

Aria

Crash-safe replacement for MyISAM. Used internally for temp tables. Good for read-heavy workloads.

MyRocks

RocksDB-based LSM tree. Excellent write amplification reduction. Ideal for high-write workloads.

ColumnStore

Columnar storage for OLAP. Parallel query execution on billions of rows. Great for data warehousing.

MEMORY

All data in RAM. No persistence. Ideal for lookup tables and temporary caches.

Spider

Built-in sharding and horizontal partitioning. Federated access across multiple MariaDB nodes.

⚡

Essential DBA Commands

Connection & Server Info

Connection & StatusSQL

-- Connect from command line
mariadb -u root -p -h 127.0.0.1 -P 3306

-- Server version and status
SELECT VERSION();
SHOW STATUS;
SHOW GLOBAL STATUS;
SHOW GLOBAL VARIABLES;
SHOW VARIABLES LIKE '%innodb%';
SHOW VARIABLES LIKE 'max_connections';

-- Current connections
SHOW FULL PROCESSLIST;
SELECT * FROM information_schema.PROCESSLIST
WHERE COMMAND != 'Sleep'
ORDER BY TIME DESC;

-- Kill a specific connection
KILL 12345;
KILL QUERY 12345;  -- kill only the query, keep connection

Database & Schema Management

DDL OperationsSQL

-- Database operations
CREATE DATABASE myapp CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
SHOW DATABASES;
USE myapp;
DROP DATABASE IF EXISTS myapp;

-- Table operations
SHOW TABLES;
SHOW TABLE STATUS;
DESCRIBE employees;
SHOW CREATE TABLE employees\G
SHOW FULL COLUMNS FROM employees;

-- Table size info
SELECT
  table_name,
  ROUND((data_length + index_length) / 1024 / 1024, 2) AS size_mb,
  table_rows,
  engine
FROM information_schema.TABLES
WHERE table_schema = 'myapp'
ORDER BY (data_length + index_length) DESC;

-- Online DDL (MariaDB 10.3+)
ALTER TABLE employees
  ADD COLUMN dept_id INT,
  ADD INDEX idx_dept (dept_id),
  ALGORITHM=INPLACE, LOCK=NONE;

User & Privilege Management

Security & GrantsSQL

-- Create users
CREATE USER 'appuser'@'192.168.1.%' IDENTIFIED BY 'StrongP@ss2024!';
CREATE USER 'readonly'@'%' IDENTIFIED BY 'ReadOnly@123';

-- Grant privileges
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'appuser'@'192.168.1.%';
GRANT SELECT ON myapp.* TO 'readonly'@'%';
GRANT REPLICATION SLAVE ON *.* TO 'repl'@'10.0.0.%' IDENTIFIED BY 'ReplPass!';
FLUSH PRIVILEGES;

-- Show users and grants
SELECT user, host, password_expired, account_locked
FROM mysql.user ORDER BY user;
SHOW GRANTS FOR 'appuser'@'192.168.1.%';

-- Revoke and drop
REVOKE ALL PRIVILEGES ON myapp.* FROM 'appuser'@'192.168.1.%';
DROP USER 'appuser'@'192.168.1.%';

-- Password policy (MariaDB 10.4+)
SET GLOBAL strict_password_validation = 1;
ALTER USER 'appuser'@'%' PASSWORD EXPIRE INTERVAL 90 DAY;

Replication Commands

Replication ManagementSQL

-- Check replication status (replica side)
SHOW REPLICA STATUS\G        -- MariaDB 10.5+
SHOW SLAVE STATUS\G          -- older syntax

-- Setup replica
CHANGE MASTER TO
  MASTER_HOST = '10.0.0.1',
  MASTER_USER = 'repl',
  MASTER_PASSWORD = 'ReplPass!',
  MASTER_USE_GTID = slave_pos;
START REPLICA;

-- Primary side binlog info
SHOW MASTER STATUS\G
SHOW BINARY LOGS;
SHOW BINLOG EVENTS IN 'mariadb-bin.000010' LIMIT 20;

-- GTID-based operations
SELECT @@gtid_current_pos;
SELECT @@gtid_binlog_pos;

-- Skip one errant transaction
STOP REPLICA;
SET GLOBAL sql_slave_skip_counter = 1;
START REPLICA;

🔥

Performance Tuning

EXPLAIN & Query Analysis

Query AnalysisSQL

-- Basic EXPLAIN
EXPLAIN SELECT * FROM orders WHERE customer_id = 1001;

-- Extended EXPLAIN (shows filtered %)
EXPLAIN EXTENDED SELECT * FROM orders WHERE customer_id = 1001;

-- JSON format (detailed optimizer info)
EXPLAIN FORMAT=JSON
SELECT o.id, c.name, SUM(oi.amount)
FROM orders o
JOIN customers c ON o.customer_id = c.id
JOIN order_items oi ON oi.order_id = o.id
WHERE o.created_at > '2025-01-01'
GROUP BY o.id;

-- Analyze (executes + returns real row counts)
ANALYZE SELECT * FROM orders WHERE status = 'pending';

-- Slow query log check
SHOW VARIABLES LIKE 'slow_query%';
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL long_query_time = 1;  -- seconds

-- Performance schema: top slow queries
SELECT
  DIGEST_TEXT,
  COUNT_STAR,
  ROUND(AVG_TIMER_WAIT/1000000000000, 3) AS avg_sec,
  ROUND(SUM_TIMER_WAIT/1000000000000, 3) AS total_sec
FROM performance_schema.events_statements_summary_by_digest
ORDER BY SUM_TIMER_WAIT DESC
LIMIT 10;

Index Management

Index OperationsSQL

-- Show indexes
SHOW INDEX FROM orders;
SELECT * FROM information_schema.STATISTICS
WHERE TABLE_SCHEMA = 'myapp' AND TABLE_NAME = 'orders';

-- Create indexes
CREATE INDEX idx_orders_status_date ON orders (status, created_at);
CREATE UNIQUE INDEX idx_email ON customers (email);
CREATE FULLTEXT INDEX idx_ft_desc ON products (description);

-- Invisible indexes (test impact without dropping)
ALTER TABLE orders ALTER INDEX idx_status INVISIBLE;
ALTER TABLE orders ALTER INDEX idx_status VISIBLE;

-- Find unused indexes (no seeks/scans)
SELECT object_schema, object_name, index_name
FROM performance_schema.table_io_waits_summary_by_index_usage
WHERE index_name IS NOT NULL
  AND count_star = 0
  AND object_schema NOT IN ('mysql', 'information_schema')
ORDER BY object_schema, object_name;

-- Update table statistics
ANALYZE TABLE orders;
OPTIMIZE TABLE orders;        -- reclaims space, rebuilds indexes
mysqlcheck -u root -p --all-databases --analyze

InnoDB Buffer Pool & Memory

InnoDB TuningSQL

-- Buffer pool hit ratio (should be > 99%)
SELECT
  ROUND(
    (1 - (
      (SELECT variable_value FROM information_schema.GLOBAL_STATUS WHERE variable_name = 'Innodb_buffer_pool_reads') /
      (SELECT variable_value FROM information_schema.GLOBAL_STATUS WHERE variable_name = 'Innodb_buffer_pool_read_requests')
    )) * 100, 2
  ) AS buffer_pool_hit_ratio;

-- InnoDB status
SHOW ENGINE INNODB STATUS\G

-- Check buffer pool usage
SELECT
  pool_id,
  pool_size,
  free_buffers,
  database_pages,
  ROUND(database_pages / pool_size * 100, 1) AS pct_used
FROM information_schema.INNODB_BUFFER_POOL_STATS;

-- Memory usage overview
SELECT * FROM sys.memory_global_total;
SELECT event_name, current_alloc, high_alloc
FROM sys.memory_global_by_current_bytes
LIMIT 10;

Key Configuration Parameters

Parameter	Recommended Value	Description
`innodb_buffer_pool_size`	70–80% of RAM	Most critical setting. Caches data and index pages.
`innodb_buffer_pool_instances`	8–16	Reduce contention on multi-core systems.
`innodb_log_file_size`	1–4 GB	Redo log size. Larger = fewer checkpoints, faster writes.
`innodb_flush_log_at_trx_commit`	1 (ACID) / 2 (perf)	1 = full durability. 2 = 1s data loss risk, faster.
`innodb_io_capacity`	200–2000 (SSD: 2000+)	InnoDB background I/O operations per second.
`max_connections`	150–500	Max simultaneous connections. Use connection pooling.
`query_cache_type`	0 (OFF)	Query cache is deprecated; use ProxySQL/application cache.
`tmp_table_size`	64M–256M	In-memory temp table size before disk spill.
`thread_pool_size`	CPU cores	MariaDB thread pool for high-concurrency workloads.
`binlog_format`	ROW	Most reliable for replication. MIXED for storage savings.

my.cnf — Production TemplateCONFIG

# /etc/mysql/mariadb.conf.d/99-custom.cnf
[mysqld]
# ── Engine ──────────────────────────────────────────
default_storage_engine     = InnoDB
innodb_buffer_pool_size    = 12G      # 75% of 16G RAM
innodb_buffer_pool_instances = 8
innodb_log_file_size       = 2G
innodb_flush_log_at_trx_commit = 1
innodb_flush_method        = O_DIRECT
innodb_io_capacity         = 2000     # NVMe SSD
innodb_io_capacity_max     = 4000
innodb_read_io_threads     = 8
innodb_write_io_threads    = 8

# ── Connections ────────────────────────────────────
max_connections            = 300
thread_pool_size           = 16
thread_cache_size          = 64
wait_timeout               = 300
interactive_timeout        = 300

# ── Memory ─────────────────────────────────────────
tmp_table_size             = 128M
max_heap_table_size        = 128M
sort_buffer_size           = 4M
join_buffer_size           = 4M
read_buffer_size           = 2M
read_rnd_buffer_size       = 4M

# ── Logging ────────────────────────────────────────
slow_query_log             = 1
slow_query_log_file        = /var/log/mysql/slow.log
long_query_time            = 1
log_queries_not_using_indexes = 1
general_log                = 0       # enable only for debugging

# ── Replication ────────────────────────────────────
server_id                  = 1
log_bin                    = /var/log/mysql/mariadb-bin
binlog_format              = ROW
expire_logs_days           = 7
gtid_strict_mode           = 1
sync_binlog                = 1

# ── Character Set ──────────────────────────────────
character_set_server       = utf8mb4
collation_server           = utf8mb4_unicode_ci

💾

Backup & Recovery

mariabackup (Physical Backup)

mariabackup — Full & IncrementalBASH

# Full backup
mariabackup --backup \
  --user=root \
  --password='yourpassword' \
  --target-dir=/backup/full/$(date +%Y%m%d)

# Prepare (apply redo logs)
mariabackup --prepare \
  --target-dir=/backup/full/20260509

# Incremental backup (after full)
mariabackup --backup \
  --user=root --password='yourpassword' \
  --target-dir=/backup/incr/$(date +%Y%m%d_%H) \
  --incremental-basedir=/backup/full/20260509

# Prepare incremental
mariabackup --prepare \
  --target-dir=/backup/full/20260509 \
  --incremental-dir=/backup/incr/20260509_02

# Restore
systemctl stop mariadb
rm -rf /var/lib/mysql/*
mariabackup --copy-back --target-dir=/backup/full/20260509
chown -R mysql:mysql /var/lib/mysql
systemctl start mariadb

mysqldump (Logical Backup)

Logical BackupBASH

# Full dump with GTID info
mysqldump -u root -p \
  --all-databases \
  --single-transaction \
  --flush-logs \
  --master-data=2 \
  --routines \
  --triggers \
  --events \
  --hex-blob \
  | gzip > /backup/full_$(date +%Y%m%d).sql.gz

# Single database
mysqldump -u root -p --single-transaction myapp \
  | gzip > /backup/myapp_$(date +%Y%m%d).sql.gz

# Restore
zcat /backup/myapp_20260509.sql.gz | mysql -u root -p myapp

# Dump only structure
mysqldump -u root -p --no-data myapp > myapp_schema.sql

# Dump only data (no create statements)
mysqldump -u root -p --no-create-info myapp > myapp_data.sql

💡 DBA Tip Always use --single-transaction with InnoDB for a consistent snapshot without locking. Never use --lock-all-tables in production — it blocks all writes.

⚠️ Critical — Test Your Restores A backup you've never restored is not a backup. Schedule monthly restore drills to a separate environment and verify row counts and application functionality.

🔐

Security Hardening

Security Audit Queries

Security ChecksSQL

-- Users with no password
SELECT user, host FROM mysql.user
WHERE (authentication_string = '' OR authentication_string IS NULL)
  AND plugin NOT IN ('unix_socket', 'gssapi');

-- Users with global privileges (risky)
SELECT user, host, Super_priv, Grant_priv, File_priv, Process_priv
FROM mysql.user
WHERE Super_priv = 'Y' OR Grant_priv = 'Y';

-- Anonymous users
SELECT user, host FROM mysql.user WHERE user = '';
DELETE FROM mysql.user WHERE user = '';
FLUSH PRIVILEGES;

-- Wildcard host access
SELECT user, host FROM mysql.user WHERE host = '%';

-- Audit plugin status
SHOW PLUGINS;
SELECT * FROM information_schema.PLUGINS
WHERE PLUGIN_NAME LIKE '%audit%';

-- Enable MariaDB Audit Plugin
INSTALL SONAME 'server_audit';
SET GLOBAL server_audit_logging = 'ON';
SET GLOBAL server_audit_events = 'QUERY,CONNECT';
SET GLOBAL server_audit_file_path = '/var/log/mysql/audit.log';

SSL Configuration

SSL/TLS SetupBASH

# Generate self-signed CA (production: use real CA)
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

# Server certificate
openssl req -newkey rsa:2048 -days 3650 \
  -nodes -keyout server-key.pem > server-req.pem
openssl x509 -req -in server-req.pem -days 3650 \
  -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial > server-cert.pem

# Add to my.cnf [mysqld]
# ssl-ca   = /etc/mysql/ssl/ca-cert.pem
# ssl-cert = /etc/mysql/ssl/server-cert.pem
# ssl-key  = /etc/mysql/ssl/server-key.pem
# require_secure_transport = ON

🛠

DBA Automation Scripts

Health Check Script

mariadb_health_check.shBASH

#!/bin/bash
# MariaDB Health Check Script
# Usage: ./mariadb_health_check.sh

DB_USER="root"
DB_PASS="yourpassword"
DB_HOST="127.0.0.1"
LOG_FILE="/var/log/mariadb_health_$(date +%Y%m%d).log"
ALERT_EMAIL="dba@yourcompany.com"

MYSQL="mysql -u${DB_USER} -p${DB_PASS} -h${DB_HOST} -e"
ISSUES=0

log() { echo "[$(date '+%F %T')] $1" | tee -a $LOG_FILE; }

log "=== MariaDB Health Check Start ==="

# 1. Uptime
UPTIME=$($MYSQL "SHOW GLOBAL STATUS LIKE 'Uptime';" | awk 'NR==2{print $2}')
log "Uptime: ${UPTIME}s ($(( UPTIME / 86400 )) days)"

# 2. Connections (warn if > 80%)
MAX_CONN=$($MYSQL "SHOW VARIABLES LIKE 'max_connections';" | awk 'NR==2{print $2}')
CURR_CONN=$($MYSQL "SHOW GLOBAL STATUS LIKE 'Threads_connected';" | awk 'NR==2{print $2}')
PCT=$(( CURR_CONN * 100 / MAX_CONN ))
if [ $PCT -gt 80 ]; then
  log "WARN: Connections at ${PCT}% (${CURR_CONN}/${MAX_CONN})"
  ISSUES=$(( ISSUES + 1 ))
else
  log "OK: Connections ${CURR_CONN}/${MAX_CONN} (${PCT}%)"
fi

# 3. Buffer pool hit ratio
READS=$($MYSQL "SHOW GLOBAL STATUS LIKE 'Innodb_buffer_pool_reads';" | awk 'NR==2{print $2}')
REQS=$($MYSQL "SHOW GLOBAL STATUS LIKE 'Innodb_buffer_pool_read_requests';" | awk 'NR==2{print $2}')
HIT_RATIO=$(echo "scale=2; (1 - $READS / $REQS) * 100" | bc)
log "Buffer pool hit ratio: ${HIT_RATIO}%"

# 4. Replication lag
LAG=$($MYSQL "SHOW REPLICA STATUS\G" 2>/dev/null | grep "Seconds_Behind_Master:" | awk '{print $2}')
if [[ "$LAG" != "NULL" ]] && [[ $LAG -gt 30 ]]; then
  log "WARN: Replication lag = ${LAG}s"
  ISSUES=$(( ISSUES + 1 ))
else
  log "OK: Replication lag = ${LAG:-N/A}s"
fi

# 5. Long running queries (> 60s)
LONG_QUERIES=$($MYSQL "SELECT COUNT(*) FROM information_schema.PROCESSLIST WHERE TIME > 60 AND COMMAND != 'Sleep';" | awk 'NR==2{print $1}')
if [ $LONG_QUERIES -gt 0 ]; then
  log "WARN: ${LONG_QUERIES} long-running queries detected"
  ISSUES=$(( ISSUES + 1 ))
fi

# 6. Summary
if [ $ISSUES -gt 0 ]; then
  log "ALERT: ${ISSUES} issue(s) found. Sending email..."
  mail -s "MariaDB Health Alert - $(hostname)" $ALERT_EMAIL < $LOG_FILE
else
  log "All checks passed."
fi
log "=== Health Check End ==="

Automated Backup Script

mariadb_backup.shBASH

#!/bin/bash
# MariaDB Full + Incremental Backup with Retention

BACKUP_ROOT="/backup/mariadb"
FULL_DIR="${BACKUP_ROOT}/full"
INCR_DIR="${BACKUP_ROOT}/incr"
LOG="/var/log/mariadb_backup.log"
RETENTION_DAYS=7
DB_USER="root"
DB_PASS="yourpassword"
TODAY=$(date +%Y%m%d)
DOW=$(date +%u)  # 1=Mon, 7=Sun

mkdir -p $FULL_DIR $INCR_DIR

log() { echo "[$(date '+%F %T')] $*" | tee -a $LOG; }

if [ "$DOW" -eq 7 ]; then
  # Sunday: Full backup
  log "Starting FULL backup..."
  mariabackup --backup \
    --user=$DB_USER --password="${DB_PASS}" \
    --target-dir=${FULL_DIR}/$TODAY 2>>$LOG
  mariabackup --prepare --target-dir=${FULL_DIR}/$TODAY 2>>$LOG
  # Store the latest full dir path
  echo ${FULL_DIR}/$TODAY > /tmp/last_full_backup.txt
  log "Full backup complete."
else
  # Other days: incremental
  LAST_FULL=$(cat /tmp/last_full_backup.txt)
  log "Starting INCREMENTAL backup based on ${LAST_FULL}..."
  mariabackup --backup \
    --user=$DB_USER --password="${DB_PASS}" \
    --target-dir=${INCR_DIR}/$TODAY \
    --incremental-basedir=$LAST_FULL 2>>$LOG
  log "Incremental backup complete."
fi

# Cleanup old backups
log "Cleaning up backups older than ${RETENTION_DAYS} days..."
find $FULL_DIR -maxdepth 1 -type d -mtime +$RETENTION_DAYS -exec rm -rf {} \;
find $INCR_DIR -maxdepth 1 -type d -mtime +$RETENTION_DAYS -exec rm -rf {} \;

log "Backup job finished. Size: $(du -sh ${BACKUP_ROOT} | cut -f1)"

Top Tables & Bloat Finder

Table Bloat & StatisticsSQL

-- Top 20 largest tables across all databases
SELECT
  table_schema AS 'Database',
  table_name   AS 'Table',
  engine,
  FORMAT(table_rows, 0)                                   AS rows,
  ROUND(data_length  / 1024 / 1024, 2)                    AS data_mb,
  ROUND(index_length / 1024 / 1024, 2)                    AS index_mb,
  ROUND((data_length + index_length) / 1024 / 1024, 2)    AS total_mb,
  ROUND(data_free   / 1024 / 1024, 2)                    AS free_mb,
  ROUND(data_free / (data_length + 1) * 100, 1)           AS bloat_pct
FROM information_schema.TABLES
WHERE table_schema NOT IN ('information_schema', 'mysql',
                            'performance_schema', 'sys')
  AND table_type = 'BASE TABLE'
ORDER BY (data_length + index_length) DESC
LIMIT 20;

-- Tables needing OPTIMIZE (>20% bloat)
SELECT
  CONCAT(table_schema, '.', table_name) AS full_name,
  ROUND(data_free / 1024 / 1024, 1) AS wasted_mb
FROM information_schema.TABLES
WHERE data_free / (data_length + 1) > 0.2
  AND data_free > 100 * 1024 * 1024
  AND engine = 'InnoDB'
ORDER BY data_free DESC;

Galera Cluster Status

Galera / Cluster MonitoringSQL

-- Cluster membership and sync state
SHOW STATUS LIKE 'wsrep_%';

-- Quick health summary
SELECT
  variable_name,
  variable_value
FROM information_schema.GLOBAL_STATUS
WHERE variable_name IN (
  'wsrep_cluster_size',
  'wsrep_cluster_status',
  'wsrep_connected',
  'wsrep_local_state_comment',
  'wsrep_ready',
  'wsrep_flow_control_paused'
);

-- Flow control check (pause > 0.1 = bottleneck)
SHOW STATUS LIKE 'wsrep_flow_control_paused';

⚡ Performance Reminder wsrep_flow_control_paused consistently above 0.1 indicates a lagging node is slowing the entire cluster. Check for long-running transactions, high write volume, or undersized nodes.

Useful Monitoring Queries (Daily DBA)

Daily Monitoring DashboardSQL

-- Active transactions with lock waits
SELECT
  r.trx_id waiting_id,
  r.trx_mysql_thread_id waiting_thread,
  r.trx_query waiting_query,
  b.trx_id blocking_id,
  b.trx_mysql_thread_id blocking_thread,
  b.trx_query blocking_query
FROM information_schema.INNODB_LOCK_WAITS w
JOIN information_schema.INNODB_TRX b ON b.trx_id = w.blocking_trx_id
JOIN information_schema.INNODB_TRX r ON r.trx_id = w.requesting_trx_id;

-- Open transactions (running > 60s)
SELECT
  trx_id, trx_started,
  TIMESTAMPDIFF(SECOND, trx_started, NOW()) AS age_sec,
  trx_query, trx_rows_modified
FROM information_schema.INNODB_TRX
WHERE TIMESTAMPDIFF(SECOND, trx_started, NOW()) > 60
ORDER BY trx_started;

-- Deadlock info
SHOW ENGINE INNODB STATUS\G

-- Per-database size summary
SELECT
  table_schema,
  COUNT(*) AS tables,
  ROUND(SUM(data_length + index_length) / 1024 / 1024 / 1024, 3) AS total_gb
FROM information_schema.TABLES
WHERE table_schema NOT IN ('information_schema', 'mysql',
                            'performance_schema', 'sys')
GROUP BY table_schema
ORDER BY total_gb DESC;

-- sys schema: top wait events
SELECT * FROM sys.waits_global_by_latency LIMIT 10;

-- sys schema: queries causing full table scans
SELECT query, exec_count, total_latency, no_index_used_count
FROM sys.statements_with_full_table_scans
ORDER BY total_latency DESC
LIMIT 10;

⏱

MariaDB-Specific Features

System Versioned (Temporal) Tables

Temporal TablesSQL

-- Create a versioned table (audit history built-in)
CREATE TABLE employee_salary (
  id       INT PRIMARY KEY,
  emp_id   INT,
  salary   DECIMAL(10,2),
  dept     VARCHAR(50)
) WITH SYSTEM VERSIONING;

-- Query historical data (as of a point in time)
SELECT * FROM employee_salary
FOR SYSTEM_TIME AS OF '2025-01-01 00:00:00'
WHERE emp_id = 42;

-- Query a time range
SELECT * FROM employee_salary
FOR SYSTEM_TIME BETWEEN '2024-01-01' AND '2025-01-01'
WHERE emp_id = 42;

-- Full history
SELECT * FROM employee_salary FOR SYSTEM_TIME ALL
WHERE emp_id = 42
ORDER BY row_start;

-- Dynamic columns (JSON-like, MariaDB native)
CREATE TABLE inventory (
  id   INT PRIMARY KEY,
  name VARCHAR(100),
  attrs BLOB
);
INSERT INTO inventory VALUES (1, 'Widget',
  COLUMN_CREATE('color', 'blue', 'weight_kg', 1.5));
SELECT COLUMN_GET(attrs, 'color' AS CHAR) FROM inventory;

💡 Oracle DBA Note System versioned tables are MariaDB's equivalent of Oracle Flashback Data Archive (FDA/Total Recall). Unlike Oracle, no extra licensing is required — it's built into every MariaDB installation.

🏁

Final Thoughts

MariaDB is not only a MySQL alternative. It is a serious database platform for OLTP, analytics, cloud workloads, and enterprise applications when it is configured and operated correctly.

As a DBA, always focus on four pillars:

Performance

Use the right indexes, review execution plans, size InnoDB memory correctly, and monitor slow queries.

Stability

Control connections, manage logs, tune I/O, and avoid risky production changes without testing.

Security

Use least privilege, remove anonymous users, avoid wildcard access, enforce SSL/TLS, and enable auditing.

Automation

Automate health checks, backups, replication checks, and daily monitoring to reduce manual errors.

💬 Connect With Me If you found this guide useful, connect with me and follow my DBA learning journey for more Oracle, MariaDB, AWS, AI, and real-world database engineering content.