|Oracle9i Security and Network Integration Guide
Release 2 (9.2) for Windows
Part Number A95492-01
Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains. Oracle Enterprise Security Manager is included as an integrated application of Oracle Enterprise Manager Console. See Oracle Advanced Security Administrator's Guide for more information on using Oracle Enterprise Security Manager.
This chapter contains these topics:
You can administer an external user or an external role in Windows 2000 domains, but you cannot use Oracle Enterprise Security Manager to perform this administration. See Chapter 2, "Administering External Users and Roles" for more information on tools available for administering external users and roles.
Enterprise users are created and managed centrally in a directory server (for example, Oracle Internet Directory or Active Directory). To allow access to multiple databases, enterprise users need to be defined in each database as an external user.
For example, assume there is an enterprise user
(cn=joe,cn=users,dc=acme,dc=com) who needs access to two databases:
marketing. This enterprise user must be defined in both databases as an external user.
Most users typically need to access only application schemas in a database, so they usually do not need their own schemas. In Oracle9i, you can create one shared schema in the database and map multiple enterprise users in a directory server to this one shared schema with Oracle Enterprise Security Manager. This is especially useful in an Internet environment, where a number of users access an application at the same time. With a shared schema there is no need to create separate schemas for each user.
Oracle Advanced Security Administrator's Guide for more information
Enterprise user authentication is enabled, if you:
true.(See "Oracle9i Integration with Active Directory" for instructions.)
The Kerberos authentication protocol is used if Windows and Oracle releases match those listed in Table 1-1, "Software Requirements to Enable Kerberos Authentication Protocol". Otherwise, NTLM is used.
An enterprise user is assigned an enterprise role; some users are assigned more than one. Enterprise roles authorization is supported with Oracle8i release 8.1.6 and later. An enterprise role is a single role created in a directory server with Oracle Enterprise Security Manager. Use Oracle Enterprise Security Manager to assign global roles and groups located on multiple databases to an enterprise role. A global role must be created individually in each Oracle9i database.
For example, as an enterprise user you can be assigned enterprise role
HR (which contains global role
user) in the human resources database. You can also be assigned global role
employee in the corporate information database. If you change jobs, your enterprise role assignment is changed only in the directory, altering your privileges in multiple databases throughout the enterprise. Also, an administrator can add capabilities to enterprise roles or remove a privilege from the enterprise role without having to update each user's privileges individually.
Use enterprise roles in environments where users assigned to these roles are located in many geographic regions and must access multiple databases.
Oracle Advanced Security Administrator's Guide for more information on creating and storing enterprise roles in a directory server with Oracle Enterprise Security Manager
Permissions authorized to an enterprise user are authorized for the enterprise role contained in the global role.
Enterprise roles are authorized by the directory server, and not by setting initialization file parameter