Oracle Advanced Security Administrator's Guide
Release 8.1.6
A76932-01

Library
Product
Contents
Index

Prev Next

20
Using Oracle Enterprise Security Manager

This chapter describes how an enterprise database administrator uses Oracle Enterprise Security Manager to administer database security in an enterprise domain of Oracle8i databases.

This information is organized into the following sections:

Introduction

Oracle Enterprise Security Manager is an administration tool that provides a graphical user interface to manage enterprise users, enterprise domains, databases, and enterprise roles that are held in a directory server.

Table 20-1 explains the terminology used when describing this tool and its features.

Table 20-1 Oracle Enterprise Security Manager Terms and Definitions

Term  Definition 

Administrative Context 

The location for an Oracle Context. It can be any entry in the directory. 

Database Security Administrator 

Has create, modify, and read access for enterprise user security. This type of administrator has permissions on all of the domains in the enterprise and is responsible for:

  • Administering the OracleDBSecurityAdmins and OracleDBCreators groups

  • Creating new enterprise domains

  • Moving databases from one domain to another within the enterprise

 

Database Administrator 

Manages a specific database object and its related Net8 objects in the directory. 

Database Installation Administrator 

Also called a database creator. This type of administrator is in charge of creating new databases, and this includes registering each database in the directory by using the Database Configuration Assistant. This type of administrator has create and modify access to database service objects and attributes. This administrator can also modify the Default Domain. 

Enterprise Domain 

Directory construct that consists of databases and enterprise roles. A database should only exist in one enterprise domain at any given point in time. 

Enterprise Domain Administrator 

User(s) authorized to manage a specific enterprise domain including adding new enterprise domain administrators to this list of users. 

Enterprise Role 

Roles that determine access privileges on databases. Enterprise roles are stored in the directory and contain one or more global roles. 

Enterprise User 

User that is defined and managed in a directory. Each enterprise user has a unique identity across an enterprise and uses a wallet. 

Global Role 

A role that is assigned to a user in a directory, but whose privileges are contained within a single database.  

Installing and Configuring Oracle Enterprise Security Manager

The following instructions outline how to install Oracle Management Server and Oracle Enterprise Manager with the Oracle Enterprise Security Manager.

These installation steps are discussed in the following sections:

Task 1: Install Oracle Enterprise Security Manager

You do this when you install Oracle Enterprise Manager. See the platform-specific installation documentation for Oracle Enterprise Manager.

Task 2: Configure Oracle Enterprise Security Manager

Oracle Enterprise Security Manager must be able to connect to databases published in the directory. Therefore, there should be a TNS alias for each database, and that alias should match the global name of the database and its common name in the directory.

Use the Net8 Configuration Assistant to create a tnsnames.ora file in ORACLE_HOME/network/admin, and create service names for the databases you want to manage. This is not necessary if all databases to be managed are set up to listen for incoming TCP connections on port 1521 (part of the default setup) and their global database names are exactly hostname.domain.

Use the Net8 Configuration Assistant to set up directory access. This creates an ldap.ora file on ORACLE_HOME/network/admin.

Note:

Oracle Enterprise Security Manager allows you to specify the Net8 service to connect to a database published in the directory. 

Task 3: Start Oracle Enterprise Security Manager

To start Oracle Enterprise Security Manager, in the command line, enter 

oemapp esm

If the ldap.ora file is not configured, you receive the following alert:


In this case, you can exit Oracle Enterprise Security Manager and run Net8 Configuration Assistant to set up directory access, then restart Oracle Enterprise Security Manager. Alternatively, you can:

If the ldap.ora file is properly configured, Oracle Enterprise Security Manager starts and automatically connects to the directory server.

On startup, Oracle Enterprise Security Manager looks something like this:


If the result of automatic login is not what you want, log out, then log back in again with the user name you want to use. To do this:

  1. From the menu bar, choose Directory > Logout.

  2. From the menu bar, choose Directory > Login. This displays the Directory Server Login dialog box.

  3. Proceed to "Task 4: Log Into the Directory" for instructions on filling in the fields in this dialog box.

Task 4: Log Into the Directory

To log into the directory:

  1. From the Oracle Enterprise Security Manager menu bar, choose Directory > Login.

  2. Choose the authentication type. Options are:

    • Password Authentication: Uses simple authentication requiring a user DN and password.

    • SSL Client Authentication: Uses two-way SSL authentication in which both client and server use Oracle wallets containing digital certificates.

    • Native Authentication (Windows NT or Windows 2000 only): Relies on the operating system to determine how you log in.


  3. If you are using SSL, enter the wallet location and the wallet password.

  4. Enter the server and port number. If you are using SSL, be sure to enter the directory's SSL port number.

  5. Click OK.

Navigating Oracle Enterprise Security Manager

This section introduces some basic features of Oracle Enterprise Security Manager. It does so in the following sections:

Changing a Search Base

By default, when Oracle Enterprise Security Manager performs a search, it uses as its search base the administrative context you have already set. If you want to use a search base other than the configured administrative context, do the following:

  1. On the menu bar, click Edit > Preferences. The Edit LDAP Preferences dialog box appears.


  2. In the Enterprise Users Base field, enter the DN you want to use as the base of the search.

    You can also click Browse Directory to navigate to a directory object to use as the base of the search.

  3. Click Accept.

Browsing the Directory

A Browse Directory button appears frequently as you use Oracle Enterprise Security Manager. Whenever you click a Browse Directory button, Oracle Enterprise Security Manager displays a dialog box that allows you to focus your search by specifying a naming context and directory search criteria. In each context, you use this dialog box in the same way.

For example, suppose you want to change the administrative context to c=acme,c=us. To do this, you would:

  1. Navigate to the Oracle Enterprise Security Manager initial screen (Task 3), and click Browse Directory. The corresponding dialog box appears.

  2. In the Naming Context field, you would enter c=us.

  3. In the Directory Search Attributes field, in the Searchable Attribute Value column, in the object class row, you would enter organization. The entries for organizations in the U.S. would appear in the Directory Search Results: Directory Entry field.

  4. In the Directory Search Results: Directory Entry field, you would select the directory entry that you want to use as the new administrative context, and click OK. This would return you to the Oracle Enterprise Security Manager initial screen. The administrative context you just specified would appear in the Administrative Context field.

Use the same steps when browsing for directory objects in other contexts, for example, when using the Edit LDAP Preferences dialog box to change the base of a search.

Administering Enterprise Databases, Domains, and Users

The following instructions assume you are running Oracle Enterprise Manager and have invoked the Oracle Enterprise Security Manager.

See Also:

"Task 3: Start Oracle Enterprise Security Manager" for instructions on how to start the Oracle Enterprise Security Manager and on how to connect to a database. 

Managing enterprise users involves working in the three top level nodes in the Oracle Enterprise Security Manager navigator pane. These three nodes are discussed in the following sections:

Administering Databases

This section tells you how to manage user/schema separation for a database.

See Also:

 

Managing User/Schema Separation

To map an enterprise user to a database schema:

  1. In the navigator pane, expand Administrative Context > Database.

  2. Select the server on which you want to support user/schema separation. The corresponding tab pages appear in the right pane.


  3. In the Database Schema Mapping tab page, in the Schema Assignments window, in the Directory Entry column, enter either the full or partial DN of the entry that you want to map to a shared schema. You can also click the Browse Directory button to navigate to that DN.

  4. In the same row, in the Schema column, enter the name of an existing schema on that database.

  5. If this is a full DN, in the Entry column, select the check box. If this is a partial DN, in the Subtree column, select the check box.


  6. Click Apply. The database object is updated in the directory, and an empty row is added in the Schema Assignments window should you want to add more mappings.

Administering Enterprise Domains

There is initially one enterprise domain listed under the Enterprise Domains node in the Oracle Enterprise Security Manager navigator: Oracle Default Domain. Each enterprise domain you define in the LDAP directory is added under the Enterprise Domains node.

This section discusses topics in the following subsections:

Managing User/Schema Separation

The section "Administering Databases" discussed how you manage user/schema separation on an individual database. This section tells you how to manage user/schema separation on all the databases in a given domain.

To map an enterprise user to a database schema:

  1. In the navigator pane, expand Administrative Context > Enterprise Domains.

  2. Select the enterprise domain on which you want to support user/schema separation. The corresponding tab pages appear in the right pane.


  3. Select the Database Schema Mapping tab.

  4. In the Schema Assignments window, in the Directory Entry column, enter either the full or partial DN that you want to map to a shared schema. You can also click the Browse Directory button to navigate to the DN.

  5. In the same row, in the Schema column, enter the name of an existing schema supported by all the databases in the domain.

  6. If this is a full DN, in the Entry column, select the check box. If this is a partial DN, in the Subtree column, select the check box.


  7. Click Apply. The database object is updated in the directory, and an empty row is added in the Schema Assignments window should you want to add more mappings.

Creating an Enterprise Domain

An enterprise domain contains databases and enterprise roles. You create a new enterprise domain by giving a name to the new enterprise domain and defining where the enterprise domain is to be located in the directory.

To create an enterprise domain:

  1. Click Object > Create on the menu bar. The Create Directory Object dialog appears.


  2. In the Type menu, select Enterprise Domain.

  3. In the Name field, enter the name of the enterprise domain you want to create.

  4. In the Base field, Oracle Enterprise Security Manager fills in the name of the administrative context. If you want to use a different administrative context, you may change the values in this field. However, be careful to enter the name of a valid administrative context, that is, one that contains and Oracle Context.

  5. Click Create.The enterprise domain you just created appears at the bottom of the Enterprise Domains node.

  6. In the navigator pane, click the name of the enterprise domain you just created. The corresponding group of tab pages appear in the right pane.


  7. Select the All Databases trusted check box, if desired. This allows databases within the enterprise domain to have current user database links between each other.

    Note:

    Individual database administrators still have the capability to configure their databases to not trust other databases. 

You have now created an enterprise domain and can proceed to add databases to the enterprise domain you just created.

Adding a Database to an Enterprise Domain

At the completion of database installation, you directed Oracle Database Configuration Assistant to publish the database in the directory. Once you have created an enterprise domain, you can view a list of all databases registered in the directory, select a database from that list, and assign it to the enterprise domain you created.

A database should exist in only one enterprise domain at a time. Therefore, you should assign a database to an enterprise domain only if the database has a value of "Unassigned" on the Databases property page.

To assign a database to the enterprise domain:

  1. In the navigator pane, expand Administrative Context > Enterprise Domains.

  2. In the navigator pane, select the enterprise domain to which you want to add a database.

  3. In the right pane, in the Available window, select a database name.

  4. Click the down arrow to move the selected database to the Selected list.

  5. Click Apply.

You have added a database to an enterprise domain and can proceed to create an enterprise role in that enterprise domain.

See Also:

"Use Oracle Database Configuration Assistant to Register the Database in the Directory"

Creating an Enterprise Role within an Enterprise Domain

Once you have created an enterprise domain and added a database to it, you can create an enterprise role within the enterprise domain.

An enterprise role is a set of global roles that operate on multiple databases within an enterprise domain. An enterprise role is assigned to one or more enterprise users. The Enterprise Database Administrator uses these enterprise roles to assign sets of global roles on multiple databases to a selected user all at once.

You cannot create two enterprise roles with the same name within a single enterprise domain.You can, however, create enterprise roles with the same name in separate enterprise domains. Enterprise roles with the same name that exist in separate enterprise domains have no implied relationships.

Note:

The database obtains a user's global roles when the user logs in. If you change a user's global roles, those changes do not take effect until the next time the user logs in. 

To create an enterprise role in an enterprise domain:

  1. In the navigator pane, expand Administrative Context > Enterprise Domains and select the enterprise domain name. The corresponding group of tab pages appear in the right pane.

  2. On the menu bar, click Object > Create. The Create Directory Objects dialog box appears.


  3. In the Type menu, select Enterprise Role.

  4. In the Name field, enter the name of the enterprise role you want to create.

    Note that the directory base chosen for the new enterprise role derives from the currently selected enterprise domain. You cannot edit this value.

  5. Click Create.

  6. In the navigator pane, expand Enterprise Domains > enterprise_domain_name > Enterprise Roles.

  7. In the navigator pane, in the Enterprise Domains subtree, select the name of the enterprise role you just created. The corresponding group of tab pages appear in the right pane.


  8. Select the Global Roles tab.

  9. Select a database. The Database Login dialog box appears.


  10. Supply the correct information about the selected database. Click OK. The selected database roles appear in the Available Global Role(s) area.


    If no database service has been configured:

    1. In the Global Roles tab page, in the Selected Databases field, right-click the database name.

    2. Choose Reconnect.

    3. Specify a new service name.

  11. In the Available Role(s) field, select an available role.

  12. Click the down arrow button to move the role into the Selected Global Role(s) area.

  13. Repeat steps 9 through 12 for each database from which you want to select one or more roles.

  14. Click Apply.

You have created an enterprise role within an enterprise domain of databases and can assign this enterprise role to any enterprise user.

Assigning Enterprise Users to an Enterprise Role

To assign an enterprise user to an enterprise role:

  1. In the navigator pane, expand Administrative Context > Enterprise Domains > enterprise_domain_name > Enterprise Roles.

  2. In the navigator pane, select the enterprise role. The corresponding group of tabs pages appears in the right pane.

  3. In the right pane, select the Enterprise/Users Groups tab.

  4. In the Available window, select the enterprise users you want to assign to the role.

  5. Click the down arrow button. The enterprise users appear in the Selected window.


  6. Click Apply. The enterprise users appear under the Enterprise Role node in the navigator pane.

Removing a Database from an Enterprise Domain

  1. In the navigator pane, expand Administrative Context > Enterprise Domains.

  2. In the navigator pane, select the name of the enterprise domain from which you want to remove a database.

  3. In the Databases tab page, in the Selected window, select the database you want to remove from the enterprise domain.

  4. Click the up button to move the database from the Selected window to the Available window.

  5. Click Apply.

Deleting an Enterprise Domain

You must first delete all enterprise roles from the enterprise domain before you can delete the selected enterprise domain. Otherwise a message window will display informing you that you need to delete one or more enterprise roles.

To delete an Enterprise Domain:

  1. In the navigator pane, expand Administrative Contexts > Enterprise Domains.

  2. In the navigator pane, select the name of the enterprise domain you want to delete.

  3. Click the Delete Object button to the left of the navigator pane.
    A window asks you to confirm the deletion.

  4. Click Yes.

  5. The selected enterprise domain is removed from the enterprise domains tree.

Administering Enterprise Users

This section discusses the following tasks:

Creating a New Enterprise User

Oracle Enterprise Security Manager allows you to create new enterprise users if the users do not already exist in the directory server. To do this.

  1. From the menu bar, select Object > Create. The Create Directory Object dialog box appears.

  2. In the Type menu, select Enterprise User.

  3. In the Name field, enter the name of the enterprise user you want to create.

  4. In the Base field, accept the default, or enter a new search base as described in "Browsing the Directory".

  5. Click Create. The enterprise user you created appears in the navigator pane under the Enterprise Users/Groups node. When you select the new enterprise user, the corresponding tab page appears in the right pane.

    Note:

    In the above procedure, the directory user entry that Oracle Enterprise Security Manager creates is associated with only the top and person object classes. If you want to associate that user entry with other object classes, you must do so in an separate procedure. 

Granting an Enterprise Role to an Enterprise User

Once you have created an enterprise user, you can assign enterprise roles to that user.

You can grant many enterprise roles to enterprise users, and these roles can exist in different enterprise domains. You can grant these roles in two ways:

When a database needs to authorize a global user, it searches the directory for those enterprise role(s) within its enterprise domain that are granted to that user.

To grant an enterprise role to an enterprise user:

  1. In the navigator pane, expand Administrative Context > Enterprise Users.

  2. Select the name of an enterprise user. The corresponding group of tab pages appears in the right pane.


  3. In the Available Enterprise Role(s) window, select an enterprise role you want to grant to the enterprise user.

  4. Click the down arrow button.

  5. The selected role is moved from the Available Role(s) list to the Selected Role(s) list.

  6. Click Apply.

Deleting an Enterprise User

Note:

You can delete an enterprise user only if that user has no enterprise roles.  

  1. Expand Administrative Context > Enterprise Users/Groups.

  2. Select the enterprise user you want to delete.

  3. On the menu bar, click Object > Delete. An alert asks you to confirm the deletion.


  4. Click Yes. The enterprise user is deleted from the tree in the navigator pane.

Managing Security Administrators

See Also:

"Oracle Context"

Use Oracle Enterprise Security Manager to define various administrators as described in the following sections:

Managing Database Security Administrators

To manage database security administrators, you must be a member of the Database Security Administrators group.

To specify a user to be a database security administrator:

  1. In the navigator pane, select Administrative Contexts.

  2. In the right pane, select the Database Security Administrators tab.

    Enterprise user names appear in the Available field.


  3. Select the enterprise user you want to specify as an administrator.

  4. Click the down arrow to move the user to the Selected window.

  5. Click Apply.

Managing Database Installation Administrators

To manage database installation administrators, you must be a member of the Database Security Administrators group.

To specify a user to be a database installation administrator:

  1. In the navigator pane, select Administrative Contexts.

  2. In the right pane, select the Database Installation Administrators tab.

    Enterprise user names appear in the Available field.

  3. Select the enterprise user you want to specify as an administrator.

  4. Click the down arrow to move the user to the Selected window.

  5. Click Apply.

Managing Database Administrators

To manage database administrators, you must be either a member of the Database Security Administrators group or a database administrator for this particular database.

  1. In the navigator pane, expand Administrative Context > Database.

  2. Select the database for which you want to assign administrators. The corresponding group of tab pages appears in the right pane.

  3. Select the Database Administrators tab. The Available window displays user names of enterprise users available in the current user search base.


  4. Select the enterprise user you want to specify as an administrator.

  5. Click the down arrow to move the user to the Selected window.

  6. Click Apply.

Managing Enterprise Domain Administrators

To manage enterprise domain administrators, you must be either a member of the Database Security Administrators group of a domain administrator for this particular domain.

  1. In the navigator pane, expand Administrative Context > Enterprise Domains.

  2. Select the enterprise domain for which you want to assign administrators. The corresponding group of tab pages appears in the right pane.

  3. Select the Enterprise Domain Administrators tab. The Available window displays user names of enterprise users available in the current user search base.


  4. Select the enterprise user you want to specify as an administrator.

  5. Click the down arrow to move the user to the Selected window.

  6. Click Apply.

Prev Next
Oracle
Copyright © 1999 Oracle Corporation.
All Rights Reserved.

Library
Product
Contents
Index