Skip Headers

Oracle® Database Advanced Security Administrator's Guid e
10g Release 1 (10.1)
Part Number B10772-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Tab le of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to previous page
Previous		 Go to next page
Next
 View PDF

13
Administering Enterpri se User Security

This chapter describes how to use Enterprise Security Manager to administer Enterprise User Security in Oracle Databases. This chapter contains the following topics:

Enterprise User Securi ty Administration Tools Overview

Enterprise Security Manager and Ent erprise Security Manager Console are the two main tools provided for administering Enterprise User Security.

Use Enterprise Security Manager to create and manage

Use Enterprise Security Manager Console to create, manage, and configure

These tools are introduced in Chapter 2, "Configuration and Administration To ols Overview" where you can find information about starting each tool and navigating its interface.

< p class="BP">In particular, refer to the following topics to get started using Enterprise User Security administration tools:

< td class="Informal">
Tool Introductory Topics

Enterpri se Security Manager

Enterprise Security Manager Console

Administering Identity Management Realms

An identity management realm is a subtree of directory entries, all of which are governed by the s ame administrative policies. A realm Oracle Context is a subtree in a directory identity management realm that contains the data used by any installed Oracle product that uses the directory. Enterprise Security Manager is one such product. It lets you manage databas e and security-related information in an identity management realm.

This section describes how to use Enterprise Security Manager to administer directory identity management realm properties that pertain to Enterprise User S ecurity. It contains the following topics:

Identity Management Realm Versions

Enterpris e User Security can only use an identity management realm supplied by Oracle Internet Directory 10g (9.0.4) o r later, which ships with Oracle Application Server 10g (9.0.4). You can manage Enterprise User Security dire ctory entries in a version 9.0.4 identity management realm by using Enterprise Security Manager for Oracle Database 10g.

Enterprise Security Manager displays all existing version 9.0.4 identity manage ment realms in its main application tree.

Note:

Enterprise User Security did not require identity management realms in Or acle8i, nor in Oracle9i. In those previous releases, only an Oracle Context was used. For Oracle Database 10g Enterprise User Security, full identity management realms and their associated realm Oracle Contexts must be used.

Setting Properties of an Identity Management Realm

An identity management realm has a number of properties that can be viewed and managed by using Ent erprise Security Manager. These properties are described in Table 13-1.

Table 13-1 Identity Management Realm Properties
< td class="Formal">

Attribute for Kerberos Principal Name

< a name="1010239"> Property Description

Attribu te for Login Name

Name of the directory attribute used to store log in names. By default, login names are stored in the uid attribute, but can be changed to correspond to your directory co nfiguration. In prior releases, this was the cn attribute.

Name of the directory attribute used to store Kerberos principal names. By default, Kerberos principal nam es are stored in the krbPrincipalName directory attribute, but can be changed to correspond to your directory configurat ion by changing orclCommonKrbPrincipalAttribute in the identity management realm.

User Search Base

Full distinguished name (DN) for the node at which enterprise users are stored in the directory.

Group Search Base

Full DN for the node at which user groups are stored for this identity m anagement realm in the directory.

Version Compatibility

This property is no longer used. However, you should ensure that it is not set to 81000, since release 8.1.7 and earlier databases cannot be in the same realm with 10g Release 1 (10.1) databases.

Setting Login Name, Kerberos Principal Name , User Search Base, and Group Search Base Identity Management Realm Attributes

Setting these identity management realm attributes enables the database to locate Enterprise User Security entries.

To set Login Name, Kerberos Principal Name, User Sear ch Base, and Group Search Base identity management realm attributes:
  1. Navigate to the Enterprise Security Manager Console home page. (Choose Launch Ent erprise Security Manager Console from the Operations menu and log in by using your OracleAS Single Sign-On username and pass word.)
  2. Choose the Realm Configuration tab.
  3. In the Realm Information window, enter the appropriate information into the available fields.
  4. Click Submit to save your changes to the direc tory.

Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm

Setting the default database-to-directory authentication type, enters a value for the LDAP_DIRECT ORY_ACCESS initialization parameter. This parameter is set on individual databases when they are registered in Oracle Internet Directory.

To set the default database-to-dire ctory authentication type for an identity management realm:
  1. Select the identity management realm in the left navigator pane.
  2. Choose the General tab in the right main window.
  3. In the Realm Attribute Settings region of the General tabbed window, choose either PASSWORD or SSL from the Database to Directory list.
  4. Click Apply to save your changes to the directory.

Managing Identity Management Realm Admi nistrators

An identity management realm contains administrative grou ps that have varying levels of privileges. The administrative groups for an identity management realm, which pertain to Enterprise Us er Security, are defined in Table 13-2. For more information about these groups, see "Administrative Groups".

Table 13-2 Enterprise User Security I dentity Management Realm Administrators
Administrative Group< /font> Definition

Oracle Database Registration Administrators

(OracleDBCrea tors)

Registers new databases in the realm.

Oracle Database Security Administrators

(OracleDBSecurityAdmins)

Has all privileges on the OracleDBSecurity directory subtree. Creates, modifies, and can read all Enterprise User Security directory objects.

Oracle Context Administrators

(OracleContextAdmins)

 < /a>

Has full access to all groups and entries within its associated realm.

User Security Administrators

(OracleUserSecurityAdmins)

Has relevant permissions nece ssary to administer security aspects for enterprise users in the directory. For example, OracleUserSecurityAdmins can modify user pas swords.

To manage ide ntity management realm administrators:
  1. Navigate to the Enterprise Security Manager Console home page. (Choose Launch Enterprise Security Manager Conso le from the Operations menu and log in by using your OracleAS Single Sign-On username and password.)
  2. Choose the Users and Groups tab.
  3. In the Users and Groups tabbed window, choose the Group subtab.
  4. In the Group subtab window, select the administrative group you wish to edit, and click Edit.
  5. In the Edit Group window, enter group information into the appropriate fields. You can change group owners, add users to or remove them from groups, and view group membership.
  6. Click Submit to save your changes to the directory.

Administering Enterprise Users

Enterprise Security Manager manages one directory server at a time, iden tified at the top of the main application tree. It lets you manage enterprise users and data that is relevant to Enterprise User Secu rity in the identity management.

This section describes how to use Enterprise Security Mana ger to administer enterprise users. It contains the following topics:

Creating New Enterprise Users

Use Enterprise Security Manager to create users in the directory.

Note:

Bef ore creating new enterprise users, you must define the user search base in the directory. See "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes"

To create new enterprise users:
  1. Se lect Launch Enterprise Security Manager Console from the Operations menu. The Enterprise Security Manag er Console home page appears (Figure 13-1). Log in with your OracleAS Single Sign-On username and password.

Figure 13-1 Enterprise Security Manager Console Home Page

Text description of esmconso.gif follows.

Text description of the illustration esmconso.gif

  1. Choose the Users and Groups tab.
  2. In the Users and Groups tabbed window, choose the User subtab, if it is not already disp layed.
  3. In the User subtab window, click Create (located on the upper right corner of the Search Results table). Note that if your users are authenticated to the database by u sing Kerberos credentials, and the krbPrincipalName attribute is not there, then see "Configuring Ente rprise Security Manager Console for Kerberos-Authenticated Enterprise Users" for information a bout how to configure this.
  4. Enter the appropriate user information in t he Create User window and click Submit to create a new enterprise user.

Setting Enterprise User Passwords< /font>

You can set and maintain enterprise user passwords in the Basic Info rmation region of the Enterprise Security Manager Console Edit User window (Figure 13-2).

Figure 13-2 Enterprise Security Manager Consol e Edit User Window: Basic Information

Text description of edituser.gi f follows.

Text description of the illustration edituser.gif

The enterprise user password is used for:

  • Directory logon
  • Database logon, to databases that support p assword authentication for global users
T o set the password for an enterprise user:
  1. Navigate to the Enterprise Security Manager Console home page. (Choose Launch Enterprise Security Manager C onsole from the Operations menu and log in using your OracleAS Single Sign-On username and password.)
  2. Choose the Users and Groups tab.
  3. In the Users and Groups tabbed window, choose the User subtab, if it is not already displayed.
  4. In the User subtab window, enter part of the enterprise user's username (login name) or e-mail address, and click Go.

    A list of all users that match your search cri teria displays.

  5. Select the user for whom you wish to create a new p assword, and click Edit.
  6. In the Edit User window, enter the new password, and click Submit.

Defining an Initial Enterprise Role Assignment

When you create a new enterprise user, you can grant any previously configur ed enterprise roles to the new user.

See Also:

"Administering Enterprise Roles"< a href="asoadmeu.htm#1008211">

To assign existing enterprise roles to a new enterprise user:
  1. In the left navigator pane, choose the Users icon under the Users, By Search Base folder, which d isplay under the identity management realm you are using. The list of users displays in the right main window.
  2. Select a user in the main window, and click Edit.... An Edit Us er window displays.
  3. Choose the Enterprise Roles tab of the Edit User wi ndow, and click Add....

    The Add Enterprise Roles window a ppears (Figure 13-3):

Figure 13-3 Enterprise Security Manager: Add Enterprise Roles Window

< img src="esm0009.gif" alt="Text description of esm0009.gif follows.">

Text description of the illustration esm0009.gif

  1. Select the correct identity management realm, then select any enterprise roles in your realm to assign to the new user, and ch oose OK.

Browsing Users in the Directory

Enterprise Security Manager lets you browse the directory for all users currently stored there in two ways--by using Enterprise Secur ity Manager Console, or by using the All Users tab in the main application window.

To browse enterprise users in the directory by using Enterprise Security Manager Console:< /h5>
  1. Navigate to the Enterprise Security Manager C onsole home page. (Choose Launch Enterprise Security Manager Console from the Operations menu and log i n by using your OracleAS Single Sign-On username and password.)
  2. Choose the Users and Groups tab.
  3. In the Users and Groups tabbed window, choose the User subtab, if it is not already displayed.
  4. In the User subtab wi ndow, enter part of the enterprise user's username (login name) or e-mail address, and click Go. To dis play all users, do not enter search criteria.

    A list of all users that match your searc h criteria displays. You can browse through the displayed users and select one to Edit, Delete, or Assign Privileges. If you need to create a new user, click Create.

To browse enterpr ise users in the directory by using the All Users tab in the main application window:
  1. Select the directory in the left navigator pane.
  2. Choose the All Users tab in the right main window (Figure 13-4):

Figure 13-4 Enterprise Security Manager: Main Window (All Users Tab)

Text description of esm0011.gif follows.

Text description of the illustration esm0011.gif

  1. Define the search criteria and click Search Now. The window d isplays the results of the search. Table 13-3 summarizes the search criteria and their respec tive effects on the search results.
    Table 13-3 Directory Search Criteria
    < td class="Formal">

    This determines whether to show all users found in th e entire subtree under the selected base, or to only show only those users that exist directly under that base location (one level on ly).

    Search Criteria Effect on the Search

    Base

    This is th e base entry point in the directory where the search is performed. Only users under this base are returned by the search.

    Include Subtrees

    Show names containing

    This limits the search to those users whose directory entries have a common name that starts with the characters you specify. This is useful if you do not know the e xact name or base of the target users.

Note that you ca n also browse enterprise users in the directory by selecting realm_name > User, by Search Base > Users in the left navigation pane of the main application window.

Administering Enterprise Domains

< !--/TOC=h1-->

An identity management realm contains an enterprise domain called OracleDef aultDomain. The OracleDefaultDomain is part of the realm when it is first created in the directory. When a new da tabase is registered into a realm, it automatically becomes a member of the OracleDefaultDomain in that realm. You can c reate and remove your own enterprise domains but you must not remove the OracleDefaultDomain from a realm.

This section describes how to use Enterprise Security Manager to administer enterprise domains in the di rectory. It contains the following topics:

Creating a New Enterprise Domain

If you do not want to use the OracleDefaultDomain, then you can create a new enterprise do main in your identity management realm.

To crea te a new enterprise domain in an identity management realm:
  1. Start by using one of the following methods:

    The Create Enterprise Domain window appears (Figure 13-5):

Figure 13-5 Enterprise Security Manager: Create Enterprise Domain Wi ndow

Text description of esm0023.gif follows.

Text description of the illustration esm0023.gif

  1. In the Create Enterprise Domain window, select the appropriate R ealm from the list (Figure 13-5).

    Note:

    If you invoked the Create Ent erprise Domain window by right-clicking the realm in the main application tree, the name of that realm is already selected.

    < /td>
  1. Enter the name of the new enterprise domain, in the Domain Name field.
  2. Choose OK. The new enterprise domain is created in the realm, and appears on the main application tree.
To remove an enterprise domain:
  1. Select t he target enterprise domain from the main application tree.
  2. Use either of the following methods:
    • Select Remove Ente rprise Domain from the Operations menu.
    • Select an enterprise domain f rom the main application tree with a right mouse-click.
  3. Enter prise Security Manager asks you to confirm removal of the enterprise domain from the realm. Choose OK t o remove it.

    Note:

    You cannot remove an enterprise domain from an identity management realm if that enterprise domain contains any enterprise roles.

Defining Database Membership of an Enterprise Domain

Use the navigation tree of the main Enterprise Security Manager window to select a spec ific enterprise domain. You can then use the Databases tab to manage database membership of an enterprise domain in a realm (Figure 13-6):

Figure 13-6 Enterprise Security Manager: Databases Tab (Database Membership)

Text description of esm0025.gif follows.

Text description of the illustration esm00 25.gif

To remove a d atabase from an enterprise domain:
  1. Sel ect a specific database for removal, and choose Remove.... The database is removed from the list.
  2. Choose Apply. The database is removed from the enterprise domain.
To add a database to an enterprise domain:
Note:

The following restrictions apply to adding databases to an enterprise domain:

  • A database must be in an enterprise domain for enterprise users to be a ble to connect to it.
  • You can only add a database to an enterprise domain if bo th the database and the enterprise domain exist in the same realm.
  • A database c annot be added as a member of two different enterprise domains.
  1. Choose Add.... The Add Databases window appears. T his window lists all the databases associated with the realm (Figure 13-7):

Figure 13-7 Enterprise Security Manager: Add Databases Window

Text description of esm0026.gif follows.

Text description of the illustration esm0026.gif

  1. Select a new database to be added to the enterprise domain.
  2. Choose OK. The selected database is added to the list of databas es in the Databases tabbed window (Figure 13-6).
  3. Choose Apply (Figure 13-6). The new database is added to the enterprise domain.

Managing Database Security Options for an Enterprise Domain

Use the Databases tabbed window (Figure 13-6) to manage database secu rity options applicable to all databases that are members of the enterprise domain.

Databas e security options are summarized by Table 13-4:

< a name="1008893"> Table 13-4 Enterprise Security Mana ger Database Security Options

User authentication

Database Security Option Description

Enable current user database links

Any database pair can only perm it use of Current User Database Links if both databases exist in the same enterprise domain where this settin g is enabled. By default, current user database links are not enabled.

All databases in an enterprise domain allow one, or more, of the following types of authentication for its clients:

  • All (the default setting)

    Databases can accept all currently available authentication methods for Enterprise User Security. In 10g Rel ease 1 (10.1), this includes passwords, SSL by using PKI credentials, or Kerberos credentials.

  • < a name="1008890">Password
  • SSL (PKI certificates)
  • Kerberos

Managing Enterprise Domain Administrators

An Enterprise Domain Administrator is a directory user with privileges to modify the content of that domain. You can use the Administrators tabbed window to manage Ente rprise Domain Administrators when an enterprise domain is selected under an realm in the main application tree.

To add a new user to the list of Enterprise Domain Administrators:
  1. In the left navigator pane, select the enterprise domain to which you wish to add administrators.
  2. In the right pane, select the Administrators tab.
  3. Cho ose Add.... The Add Users window appears. Use this window to locate and select users for designation as Enterprise Domain Administrators. The new users appear in the Administrators tabbed window.
  4. Choose Apply. The new Administrators are added to the enterprise domain.
To remove a user from the list of Enterprise Doma in Administrators:
  1. In the left navigat or pane, select the enterprise domain from which you wish to remove administrators.
  2. In the right pane, select the Administrators tab.
  3. Select a user from the list of Administrators.
  4. Ch oose Remove. The selected user is removed from the list.
  5. Choose Apply. The user is removed as an Enterprise Domain Administrator for that domain in the realm.

Managing Enterprise Domain Database Schema Mappings

Data base schema mappings, also referred to as user schema mappings) let databases that are registered in the directory accept connections from users without requiring any dedicat ed database schemas for them. For example , when local user Scott connects to a database, a database schema called Scott must exist--for that logon to be successful. This can be difficult to maintain if there are thousands of users and perhaps hundreds of databases in a very large enterprise.

Users that are defined in an LDAP-compliant directory do not require dedicated schemas on every Oracle9i or later database to which they might connect.

A database can use a schema mapping to share one database schema between multiple directory users. The schema mapping is a pair of values: the base in th e directory at which users exist, and the name of the database schema they will use.

You ca n use the Database Schema Mappings tabbed window to manage database schema mappings--when a database is selected under a realm in the main application tree or when a domain is selected. If a domain is selected, these mappings apply to all databases that are members of the enterprise domain. Therefore, each database in the enterprise domain must have a schema of the same name used in the mapping f or that mapping to be effective on that database. This window contains a list of database schema names, directory DNs, and mapping ty pes (Figure 13-8):

Figure 13-8 Enterprise Security Manager: Database Schema Mappings Tab

Text description of esm0020.gif follows.

Text description of the illustration esm0020.gif

To add a new mapping to the list of database schema mappings in the enterprise domain:
  1. In the Database Schema Mapping tabbed window, choose Add....

    The Add Database Schema Mappings window appears (Figure& nbsp;13-9). Use this window to locate and select a base in the directory and pair it with a database schema name, to make a datab ase schema mapping. There are three components to the window: there is a directory search tree from which to select the user's DN or the base of users, the option to choose either subtree-level or entry-level mapping, and a field in which to enter a schema name.

Figure 13-9 Enterprise Security Manag er: Add Database Schema Mappings Window

Text description of esm0021.gi f follows.

Text description of the illustration esm0021.gif

  1. Navigate the directory to select a desired entry a s a base for the database schema mapping. This can be any directory entry but should be either the actual user (entry-level) or locat ed above the subtree of users to be mapped (subtree-level). You can also edit the contents of the Directory Entry field in this windo w to manually define the base.
  2. Choose the mapping type: Subtree Level or Entry Level. Note that subtree-level mapping is usually the most useful .
  3. Enter the name of the database schema for which this Mapping will be made into the Schema field, and choose OK. This must be a valid name, for a schema that already exists on that database.The new database schema mapping appears in the database schema mappings window (Figur e 13-8).
  4. Choose Apply. The new d atabase schema mapping is added to the selected database or domain in the realm.
To remove a mapping from the list of database schema mappings in an enterprise domain:
  1. Select a mapping by selecting from the Datab ase Schema Mapping tabbed window.
  2. Choose Remove. The selected Mapping is removed from the list.
  3. Choose Apply. The mapping is removed from the enterprise domain.

There are three requirements for a database to accept a connection from a password-authe nticated user:

  • The database must be a member of a domain confi gured to accept Password authentication (See: Table 13-4).
  • The domain must be a member of a password-accessible domains group, called th e Password-Accessible Domains List, added by a member of either the Ora cleContextAdmins or the OracleDBSecurityAdmins directory administrator groups. Domain members (databases) of this list can read the u ser's password verifier in the directory, while those excluded from this list cannot.
  • The user entry must be in a directory subtree of users that has been enabled for Oracle database access.
To configure password accessibility:
  1. Select the enterprise domain in the left navigator pane.
  2. Choose the Databases tabbed window and select Password< /strong> or All Types from the User Authentication methods listed. (See < a href="asoadmeu.htm#1008779">Figure 13-6)
  3. Click Apply.
To add a domain to the Password-Accessible Domains List:
  1. Select the identity management realm in the left navigator pane.
  2. Choose the Accessible Domains tabbed window and click Add. The Add Acces sible Enterprise Domains dialog box appears. See Figure 13-10< /a>.

Figure 13-10 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box

Text descriptio n of esmpwacc.gif follows.

Text description of the illustration esmpwacc.gif

  1. Select the OracleDefaultDomain from the list of enterprise domains, and click OK. The OracleDefaultDomain is added to the password-accessible domains list.

    Note:
    • By default , the cn=Users subtree in an identity management realm has ACLs (access control lists) to enable appropriate database ac cess to user password attributes. If you do not use this subtree to store users, then see Oracle Internet Directory Administrator's Guide for information about setting up pro per ACLs for another user search base.
    • The OracleDefaultDomain is a member of t he password-accessible domains list by default, but it can be removed.
To remove an enterprise domain from the password-accessible doma ins list:
  1. Select the identity manageme nt realm in the left navigator pane.
  2. Choose the Accessible Domains tabb ed window and select the enterprise domain that you want to remove from the list.
  3. Click Remove.

Managing Database Administrators

A Database Administrator i s a directory user that has privileges to modify the database and its subtree in the realm. Database Administrators may be managed by using the Administrators tabbed window when a database is selected under a realm in the main application tree.

To remove a user from the list of Database Administrators:
  1. In the Administrators tabbed window, select a u ser from the list of administrators.
  2. Choose Remove ; the selected user is removed from the list.
  3. Choose Apply; the user is removed as a Database Administrator for that database.
To add a new user to the list of Database Administrators:
  1. In the Administrators tabbed window, choose Add; the Add Users window appears. Use this window to locate and select users in the directory.
  2. Select a user or users from the directory to be added as a Database Administrator; the new us er(s) is displayed in the Administrators tabbed window.
  3. Choose Apply; the new Administrator(s) is added to the database in the realm.

    < font face="Arial, Helvetica, sans-serif">See Also:

Administering Enterprise Roles

An enterprise domain within an identity m anagement realm can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain.

This section describes how to use Enterprise Security Manager to administer enterprise roles in the directory. It contains the follow ing topics:

Creating a New Enterprise Role

You can cre ate an enterprise role in an enterprise domain either from the Operations menu on the Enterprise Security Manager main window (Figure 13-8), or by right-clicking an enterprise domain in the main application tree. In either cas e, the Create Enterprise Role window appears (Figure 13-11):

Figure 13-11 Enterprise Security Manager: Create Enterprise Role Window

Text description of esm0030.gif follows.

Text description of the illustration esm0030.gif

To create a new enterprise role:
  1. Choose the target identity management realm from the list. This is the realm containing the target en terprise domain to hold the new enterprise role.

    Note:

    If you invoked the Create Enterprise Role window by right-click ing an enterprise domain, the name of the identity management realm is already selected.

< a name="1012145">
  1. Select the appropriate ente rprise domain for the new enterprise role, from the Enterprise Domain list.

    Note:

    If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, the name of the enterprise domain is already selected.

  1. Enter th e name of the new enterprise role in the Role Name field.
  2. Choose OK. The new enterprise role is created in the enterprise domain, and appears on the main application tree.
To remove an enterprise role:
  1. Select the target ent erprise role from the main application tree (Figure 13-8).
  2. Choose Remove Enterprise Role, either from the Operations menu or by right- clicking the enterprise domain in the main application tree.
  3. Enterprise Security Manager asks you to confirm the removal of the enterprise role. Choose Yes.

Assigning Database G lobal Role Membership to an Enterprise Role

Use the Database Global Roles tabbed window (Figure 13-12) of the Enterprise Security Manager main window to manage d atabase global role membership in an enterprise role. This window lists the names of each global role that belongs to the enterprise role, along with the name of the database on which that global role exi sts.

Figure 13-12 Enterprise Security Manage r: Database Global Roles Tab

Text description of esm0031.gif follows.

Text description of the illustration esm0031.gif

When populating an enterprise role with different database roles it is only possible to reference roles on databases that are configured to be global roles on those databases. A global role on a database is identical to a normal role, except that the Database Administrator has defined i t to be authorized only through the directory. (Global roles are created with the syntax, CREATE ROLE <role_name> IDENTIF IED GLOBALLY ' ';) A Database Administrator cannot locally grant and revoke global roles to users of the database.

To add a global role to an enterprise role:
  • Choose Add... (Figure 13-12). The Add Global Database Roles window appears. This window lists all of the databases in the enterprise domain--from which global roles can be selected to add to an enterprise role.
  • Select a database from which to obtain global roles. A window appears and prompts you for logon details to a uthenticate to the database (and fetch global roles). Typically, this is a DBA logon to that database.

    Note that the name of the database appears in the Service field by default. You can use this name to connect to the d atabase if your Oracle home has LDAP enabled as its Oracle Net naming method, or if this name appears as a TNS alias in your local Or acle Net configuration. Otherwise, you can overwrite the content of the Service field with any other TNS alias configured for that da tabase, or by a connect string in the format <host>:<port>:<oracle sid>. For example, cartman:15 21:broncos.

    • Figure 13-13 En terprise Security Manager: Database Authentication Required Window

    Tex t description of esm0034.gif follows.

    Text description of the illustration esm0034.gif

    1. Choose OK. Enterprise Security Manager connects you to the given database and fetches the list of global roles supported on th at database. The list of values, if any, is displayed in the Add Global Database Roles window.
    2. Select one or more global roles from the list of returned values and choose OK. These global roles appear in the Database Global Roles tabbed window (Figure 13-12).
    3. Choose Apply. The new global roles are a dded to the enterprise role in the enterprise domain.
    To remove a database global role from an enterprise role:
    1. Select a global role from the list in the main application tree, and choose Rem ove.... The global role is removed from the list.
    2. Choose Apply. The global role is removed from the enterprise role in the enterprise domain.

    Granting Enterprise Roles to Users

    You can grant an enterprise role to users in two ways: you can select a user and add a role (see "Defining an Initial Enterprise Role Assignment"), or you can select a role and add a user. When you grant an enterprise role to a user, it includes all datab ase global roles contained within that enterprise role. Use the Users tabbed window.

    To grant an enterprise role to users:
    1. Select the role in the navigation tree, and choose Add... in the Users tabbed window. The Add Enterprise Users window appears. Use this window to locate and select one or more directory users to add as enterprise role grantees (Figure 13-14):

    Figure 13-14 Enterprise Security Manager: Add Enterprise Users Window

    Text description of esmadusr.gif follows.

    T ext description of the illustration esmadusr.gif

    1. Select a user or users and click OK. The new grantees are added to the l ist of users who have that enterprise role in the enterprise domain.
    2. Ch oose Apply. The user or users are granted the selected enterprise role.
    To remove a user from the list of enterprise role grantees:
    1. Select a user from the list of grantees in the Use rs tabbed window.
    2. Choose Remove. The sele cted user is removed from the list.
    3. Choose Apply. The user is removed as a grantee for that enterprise role in the enterprise domain.
    Go to previous page
    Previous    		 Go to next page
    Ne xt
    		 Oracle
    Copyright © 1996, 2003 Oracle Corporation
    All Rights Reserved.
    Go to Documentation Home
    Home    		 Go to Book List
    Book List    		 Go to Table of Contents
    Contents    		 Go t o Index
    Index    		 Go to Master Index
    Master Index    		 Go to Feedback page
    Feedback