Oracle8i
Enterprise Edition for Windows NT Getting Started
Release 8.1.5 for Windows NT A68694-01 |
|
This chapter describes how to authenticate Oracle8i database users with Windows NT. Specific topics discussed are:
Manual Authentication Using Windows NT
The Oracle8i database can use information maintained by Windows NT to authenticate database users. The benefits of Windows NT authentication include:
Windows NT Native authentication methods (automatically installed
with Net8 Server and Net8 Client) enable database user authentication through
Windows NT. This enables client computers to make secure connections to
an Oracle8i database on a Windows NT server. A secure connection
is when a Windows NT client user name is retrieved on a Windows NT server
through Windows NT Native authentication methods. The Windows NT server
then permits the user name to perform the database actions on the server.
In Oracle 8.1.5, by default, external users created in the
database must be prefixed with the domain name. For example, for an NT
user DOMAIN1\NTUSER1, the Oracle user created in the database must be DOMAIN1\NTUSER1.
If you wish to create the Oracle user in the database without prefixing
with the domain name, you first need to set the registry value OSAUTH_PREFIX_DOMAIN
in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID to FALSE.
When you install Oracle8i Enterprise Edition, your Windows NT user name is automatically added to a Windows NT local group called ORA_DBA. The ORA_DBA local group is:
Enables you to:
Oracle Administration Assistant for Windows NT is a graphical user interface (GUI) tool that enables you to easily configure Oracle database administrators, operators, users, and roles to be authenticated by the Windows NT operating system. Oracle Administration Assistant for Windows NT enables you to:
Oracle Administration Assistant for Windows NT eliminates the need for manually:
If you want to use Oracle Administration Assistant for Windows
NT to manage a remote computer, you must have administrator privileges
for the remote computer. Oracle Administration Assistant for Windows NT
always creates users in the database with the domain name as the prefix.
Therefore, if you are managing Oracle 7.x or Oracle 8.0.x databases remotely,
you must set the registry value OSAUTH_PREFIX_DOMAIN in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID
to TRUE in the remote system.
When you use Oracle Administration Assistant for Windows NT for the first time, it will automatically add the local computer in the navigation tree. You may then add another computer by following steps:
You can grant the SYSOPER and SYSDBA privileges to DBAs using the Oracle Administration Assistant for Windows NT snap-in for the Microsoft Management Console.
To grant the SYSDBA privileges using the Oracle Administration
Assistant for Windows NT snap-in in the Microsoft Management Console:
The Windows NT domain user with which you are attempting
to connect to the Oracle database is not recognized as an authenticated
user with SYSDBA privilege. Therefore, you must enter an Oracle user name
and password to access the database. To avoid being prompted with this
dialog box again, configure your domain user to be a database administrator
authenticated by the Windows NT operating system.
The dialog box shown above appeared because you are not using
the TCP/IP networking protocol to connect to a remote Oracle database.
Using SPX or Named Pipes causes this dialog box to appear each time you
attempt a remote connection. To avoid having to respond to this dialog
box, change to the TCP/IP networking protocol and use default port 1521
or 1526.
The dialog box shown above may also appear because the Oracle
database is not running. Start the Oracle database.
Note: For connections to local Oracle databases, the Bequeath networking protocol is automatically used. Bequeath is automatically installed with Net8 Server. |
Enter the net service name with which to connect to your
Oracle database. The net service name is an alias for a specific database
instance that you create with the graphical user interface tool Net8 Assistant
or Net8 Easy Config. You must enter a net service name regardless of the
authentication method you select below.
Select this option if you want to access the database with an Oracle user name and password. This user name and password must exist in the Oracle database. This user name must also have the SYSDBA privilege.
OS Authenticated Connection as SYSDBA
Select this option if you want to access the database with
the Windows NT domain user with which you are currently logged in. This
Windows NT domain user must already be recognized by Windows NT as an authenticated
user with SYSDBA privileges. Otherwise, your logon attempt will fail.
To view database properties right click the database, choose
Properties.
You may create a Nonprivileged Database User using the Oracle
Administration Assistant for Windows NT snap-in in the Microsoft Management
Console.
Start the Microsoft Management Console.
The Create External OS User Wizard is launched.
The Step2 page allows you to choose which profile and tablespace information to assign to the user or group.
To view the properties of an external OS user click on External
OS Users in the Microsoft Management Console scope pane. Right click the
external OS user for which you wish to view the properties and select Properties.
OS_ROLES is a parameter in the INIT.ORA file that, if set
to TRUE, enables the Windows NT operating system to manage the authorization
of external OS roles for database users. If OS_ROLES is set to TRUE only
external OS roles will be displayed in the field Granted External OS Roles.
By default, OS_ROLES is set to FALSE and only local roles will be displayed
in the field Granted Roles. You must set OS_ROLES to TRUE and restart your
Oracle database before you can create external OS roles.
If OS_ROLES is set to FALSE, the Oracle database manages
the granting and revoking of roles for database users.
If OS_ROLES is set to TRUE and you assign an external OS
role to an NT global group, it is granted only at the global group level,
and not at the level of the individual user in this global group. This
means that you cannot revoke or edit the external OS role assigned to an
individual user in this global group through the Roles tab of the Domain\User
Name Properties dialog box at a later time. Instead, you must use the Assign
External OS Roles to an NT Global Group in the dialog box to revoke the
external OS role from this global group (and therefore all its individual
users).
External OS roles assigned to an individual domain user or
local roles (with OS_ROLES set to FALSE) assigned to an individual domain
user or NT global group are not affected by this issue, and can be edited
or revoked.
If OS_ROLES is set to TRUE, you can not grant local roles
in the database to any database user. You must grant the roles through
Windows NT.
You can create local database role using the Oracle Administration Assistant for Windows NT snap-in for the Microsoft Management Console.
Click the value in the Admin Option column to display a drop-down list box. This box enables you to select Yes or No. Select Yes if you want to grant the Admin Option to this role.
Select appropriate roles to assign to the local role. Both
local roles and External OS roles appear in this list.
You can create an External OS role using the Oracle Administration Assistant for Windows NT snap-in for the Microsoft Management Console.
Click the value in the Admin Option column to display a drop-down list box. This box enables you to select Yes or No. Select Yes if you want to grant the Admin Option to this role.
Click Revoke to revoke the selected roles from the External OS role.
This section describes how to authenticate nonprivileged
database users (nondatabase administrators) using Windows NT so that a
password is not required when accessing the database. When you use Windows
NT to authenticate nonprivileged database users, your database relies solely
on Windows NT to restrict access to database user names. In the steps below,
the following Windows NT user names are authenticated:
The local and domain user name FRANK and the domain SALES
are used in the steps below. Substitute the appropriate local and domain
user name and domain name for your environment.
Follow the steps below to connect without a password as a nonprivileged database user:
To perform authentication tasks on an Oracle8i database server:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT Enter user-name: SYSTEM/PASSWORD
If Authenticating a... | Then Enter... |
---|---|
Local user name |
SQL> CREATE USER XYZFRANK IDENTIFIED EXTERNALLY; |
Domain user name |
SQL> CREATE USER "XYZSALES\FRANK" IDENTIFIED EXTERNALLY; |
If Authenticating a... | Then Enter... |
---|---|
Local user name |
SQL> GRANT RESOURCE TO XYZFRANK; |
|
SQL> GRANT CONNECT TO XYZFRANK; |
Domain user name1 |
SQL> GRANT RESOURCE TO "XYZSALES\FRANK"; |
|
SQL> GRANT CONNECT TO "XYZSALES\FRANK"; |
1 Enter the syntax for domain users in uppercase and with double quotes around the domain user name. |
SQL> CONNECT INTERNAL
SQL> SHUTDOWN
SQL> STARTUP
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT /@NET_SERVICE_NAME
The Oracle8i database searches the data dictionary for an automatic login user name corresponding to the Windows NT local or domain user name, verifies it, and allows you to connect as XYZFRANK or XYZSALES\FRANK.
SQL> SELECT * FROM USER_ROLE_PRIVS;
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZFRANK CONNECT NO YES NO XYZFRANK RESOURCE NO YES NO 2 rows selected.
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZSALES\FRANK CONNECT NO YES NO XYZSALES\FRANK RESOURCE NO YES NO 2 rows selected.
SQL> SELECT * FROM XYZFRANK.SHARK
Attention:
Automatic authorization is supported for all Net8 protocols. |
This section describes how to enable Windows NT to grant the SYSOPER and SYSDBA privileges to DBAs. This enables DBAs to issue the following commands from a client computer and connect to the Oracle8i database without entering a password:
To enable this feature, the Windows NT local or domain user
name of the client must belong to one of the following four Windows NT
local groups on the server:
Local Group | This Local Group Includes All... |
---|---|
ORA_OPER |
SYSOPER database privileges; applicable for all system identifiers (SIDs). |
ORA_DBA 1 |
SYSDBA database privileges; applicable for all SIDs. |
ORA_SID_DBA |
SYSDBA database privileges; applicable only for the SID specified in the name. |
ORA_SID_OPER |
SYSOPER database privileges; applicable only for the SID specified in the name. |
1 ORA_DBA is automatically created during installation. See section "Automatically Enabling Operating System Authentication During Installation" for information. |
The SYSOPER and SYSDBA privileges are mapped to the following
Windows NT local groups:
This Privilege... | Maps to the Local Group... |
---|---|
SYSOPER |
ORA_SID_OPER, ORA_OPER |
SYSDBA |
ORA_SID_DBA, ORA_DBA, ORA_SID_OPER, ORA_OPER |
Follow the steps below to connect as SYSOPER or SYSDBA without a password:
To perform authentication tasks on the Oracle8i database server:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME
If The Local Group Is... | Then Enter... |
---|---|
ORA_DBA or ORA_SID_DBA |
SQL> CONNECT / AS SYSOPER |
|
or |
|
SQL> CONNECT / AS SYSDBA |
ORA_OPER or ORA_SID_OPER |
SQL> CONNECT / AS SYSOPER |
This section describes how to connect as INTERNAL without
a password. To do this, you must create one of the following new local
Windows NT user groups and add a Windows NT operating system local or domain
user to that group:
Local Group | This Local Group Includes All... |
---|---|
ORA_DBA 1 |
SYSDBA database privileges. This group is applicable for all SIDs. |
ORA_SID_DBA |
SYSDBA database privileges. This group is applicable only for the SID specified in the name. |
1 ORA_DBA is automatically created during installation. See section "Automatically Enabling Operating System Authentication During Installation" for information. |
This enables you to log into a local computer or a Windows
NT domain. In the domain, your Oracle8i database is just one of
many resources to which you have access. Once you access this domain, you
are automatically validated as an authorized DBA who can access the Oracle8i
database without a password.
Follow the steps below to connect as INTERNAL without a password:
To perform authentication tasks on the Oracle8i database server:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
SQL> CONNECT INTERNAL
SQL> SHUTDOWN
SQL> STARTUP
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME
This section describes how to grant Oracle8i database
roles to users directly through Windows NT. When you use Windows NT to
authenticate users, Windows NT local groups can grant these users database
roles. Through User Manager, you can create, grant, or revoke database
roles to users.
All privileges for these roles are active when the user connects. When using operating system roles, all roles are granted and managed through the operating system. You cannot use both operating system roles and Oracle roles at the same time. For example:
If You... | Then... |
---|---|
You only receive the roles granted to DTMSDOM\FRANK, and not the roles granted to SCOTT. |
|
|
Follow the steps below to grant database roles with Windows NT:
To perform authentication tasks on the Oracle8i database server:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT INTERNAL
SQL> CREATE ROLE DBSALES3 IDENTIFIED EXTERNALLY;
SQL> GRANT DBA TO DBSALES3 WITH ADMIN OPTION; SQL> GRANT RESOURCE TO DBSALES3 WITH ADMIN OPTION; SQL> GRANT CONNECT TO DBSALES3 WITH ADMIN OPTION;
SQL> CONNECT INTERNAL
SQL> SHUTDOWN
SQL> STARTUP
ORA_SID_ROLENAME [_D] [_A]
SID |
Indicates the database instance. |
ROLENAME |
Identifies the database role granted to users of a database session. |
D |
Optional character indicating that this database role is to be the default role of the database user. If specified, this character must be preceded by an underscore. |
A |
Optional character indicating that this database role includes the ADMIN OPTION. This enables the user to grant the role to other roles only. If specified, this character must be preceded by an underscore. |
For this example, ORA_ORCL_DBSALES3_D is entered.
You can convert additional database roles to several possible
Windows NT groups, as shown in the following table. Then, users connecting
to the ORCL instance in this example and authenticated by Windows NT as
members of these Windows NT local groups have the privileges associated
with DBSALES3 and DBSALES4 by default (because of the _D option). DBSALES1
and DBSALES2 are available for use by the user if they first connect as
members of DBSALES3 or DBSALES4 and use the SET ROLE command. If a user
tries to connect with DBSALES1 or DBSALES2_A without first connecting with
a default role, they are unable to connect. Additionally, users can grant
DBSALES2 and DBSALES4 to other roles.
Database Roles | Windows NT Groups |
---|---|
DBSALES1 |
ORA_ORCL_DBSALES1 |
DBSALES2 |
ORA_ORCL_DBSALES2_A |
DBSALES3 |
ORA_ORCL_DBSALES3_D |
DBSALES4 |
ORA_ORCL_DBSALES4_DA |
Note: When the Oracle8i database converts the group name to a role name, it changes the name to uppercase. |
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME where NET_SERVICE_NAME is the Net8 service name for the Oracle8i database that you created in Step 3.
SQL> CONNECT SCOTT/TIGER