Oracle8i Administrator's Guide Release 2 (8.1.6) for Windows NT A73008-01 |
|
This chapter describes how to authenticate Oracle8i database users with Windows.
Specific topics discussed are:
The Oracle8i database can use Windows user login credentials to authenticate database users. The benefits include:
Windows native authentication methods (automatically installed with Net8 Server and Net8 Client) enable database user authentication through Windows NT or Windows 2000. This enables client computers to make secure connections to an Oracle8i database on a Windows NT or Windows 2000 server. The server then permits the user to perform the database actions on the server.
Note: This chapter describes using Windows native authentication methods with Windows NT 4.0 and Windows 2000. For information on the Secure Socket Layer (SSL) protocol and Oracle Internet Directory, see the Oracle Advanced Security Administrator's Guide and Oracle Internet Directory Administrator's Guide. |
Windows native authentication methods work with Windows authentication protocols to enable access to your Oracle8i database. Kerberos is the default authentication protocol for Windows 2000. With Windows NT 4.0, NT LAN Manager (NTLM) is the default protocol.
Client computers do not need to specify an authentication protocol when attempting a connection to an Oracle8i database. Instead, the Oracle8i database determines the protocol to use, completely transparent to the user. The only Oracle requirement for the client is to ensure that SQLNET.AUTHENTICATION_SERVICES is set to NTS in the ORACLE_BASE\ORACLE_HOME\NETWORK\ADMIN\SQLNET.ORA file on both the client and database server (this is the default setting for both after installation). For Oracle7 Server and Oracle8 8.0 releases, you must manually set this value using Net8 Assistant.
Your Oracle8i database network likely includes client computers and database servers running different Windows operating system and Oracle software releases in different domains. For example, you may be running an Oracle 8.0.5 client installed on Windows 95 that connects to an Oracle 8.1.6 database installed on a Windows NT 4.0 computer that runs in a Windows 2000 domain. This combination of different releases means that the authentication protocol being used can vary.
This table lists the Oracle software and Windows operating system releases required to enable Kerberos to be the default authentication protocol used:
For The... | This Windows Software is Required... | This Oracle Software is Required... |
---|---|---|
Client Computer |
||
Database Computer |
||
Domain |
For all other combinations of Windows operating system and Oracle software releases used in your network, the authentication protocol used is NTLM.
This section describes how user login credentials are authenticated and database roles are authorized in Windows NT 4.0 or Windows 2000 domains. User authentication and role authorization are defined as follows:
In releases prior to 8.1.6, Oracle supported user authentication and role authorization in Windows NT 4.0 domains. This table provides descriptions of these basic features:
With release 8.1.6, enhancements have been made to support global user authentication and global role authorization with Windows native authentication in Windows 2000 domains using Active Directory. You map multiple enterprise users in a directory server to this global user. These enhancements are available to you only if you:
Enterprise user authentication is enabled by setting the OSAUTH_X509_NAME registry parameter to TRUE on the computer on which the Oracle8i database is running in a Windows 2000 domain. If this parameter is set to FALSE (the default setting) in a Windows 2000 domain, then the Oracle8i database authenticates the user as an external user (described in "External Users and Roles"). Setting this parameter to TRUE in a Windows NT 4.0 domain does not enable you to use enterprise users.
See "Enterprise User Authentication" for more information on using the OSAUTH_X509_NAME registry parameter.
The user authentication and role authorization methods to use depend upon your Oracle8i database environment:
The following sections describe external user authentication and external role authorization methods:
This table describes external user authentication features:
Feature | Description |
---|---|
User authentication |
Authentication of external users is supported. External users are local users or domain users. External users must be created individually in each Oracle8i database that they need to access. External users can access the Oracle8i database without providing a user name or password. Use external users in environments where users do not need to access multiple databases. |
User authentication process |
The Oracle8i database receives the client user credentials from the Windows authentication protocol and queries the data dictionary to determine if this is a valid user. If the user name is found, the Oracle8i database authenticates the user as an external user (with authorized external roles) and permits access. |
User administration tools |
Use one of the following tools to authenticate external user names:
|
Starting with Oracle release 8.1.5, external users created in the database were automatically prefixed with the domain name. For example, for a Windows NT user DOMAIN1\NTUSER1, the Oracle user created in the database is DOMAIN1\NTUSER1. If you want to create the Oracle user in the database without prefixing with the domain name, you first need to set the registry value OSAUTH_PREFIX_DOMAIN in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOMEID to FALSE.
Note that it is less secure if you do not prefix the domain name. Therefore, if you migrate a database with external users to Oracle8i for Windows NT, you have two options:
This table describes external role authorization features:
The following sections describe enterprise user authentication and enterprise role authorization methods:
This table describes enterprise user authentication features:
Feature | Description |
---|---|
User authentication |
Enterprise users are users created in a directory server (for example, Active Directory) who require access to multiple databases in an enterprise. To access these databases, enterprise users need to be defined in each database as a global user. For example, assume there is an enterprise user (cn=joe,cn=users,dc=acme,dc=com) who needs access to two databases: Sales and Marketing. This enterprise user must be defined in both databases as a global user. Most users do not need their own accounts in the database; they typically need to access only application schemas in a database. This is especially critical in an Internet environment, where a number of users access the same application and there is no need to create global users in the database for all enterprise users. In 8.1.6, you can create just one global user in the database and map multiple enterprise users in a directory server to this one global user with Oracle Enterprise Security Manager. See the Oracle Advanced Security Administrator's Guide for more information. |
User authentication process |
Enterprise user authentication is enabled, if you:
|
User administration tools |
Oracle Enterprise Security Manager (an integrated application included in Oracle Enterprise Manager) enables you to create enterprise users, roles, and domains. See the Oracle Advanced Security Administrator's Guide for more information on using this tool. |
Authentication protocol |
Kerberos (if the Windows and Oracle releases match those listed in the table in "Windows Authentication Protocols"; otherwise, NTLM is used). |
This table describes enterprise role authentication features:
Feature | Description |
---|---|
Role authorization |
Authorization of enterprise roles is supported with Oracle8i release 8.1.6. An enterprise role is a single role created in a directory server with Oracle Enterprise Security Manager. Use Oracle Enterprise Security Manager to assign multiple global roles and Windows 2000 global and universal users and groups located on multiple databases to this enterprise role. A global role is a role that must be created individually in each Oracle8i database. For example, an enterprise user can be granted the enterprise role "HR", which contains the global role "HR user" in the human resources database, and the global role "employee" in the corporate information database. If a user changes jobs, his enterprise role assignment is only changed in one place, altering his privileges in multiple databases throughout the enterprise. Also, an administrator can add capabilities to enterprise roles (granted to multiple users) without having to update the authorizations of each individual user. Use enterprise roles in environments where users assigned to these roles are located in many geographic regions and must access multiple databases. See the Oracle Advanced Security Administrator's Guide for more information on creating and storing enterprise roles in a directory server with Oracle Enterprise Security Manager. |
User permissions |
The permissions authorized to a user are those assigned to the database of which they are a member. |
User groups |
Users can belong to Windows 2000 global and universal groups. These groups can be assigned to enterprise roles. |
Perform the following tasks to integrate Oracle components with Active Directory. This enables you to take advantage of the new user authentication and role authorization described in "Enterprise Users and Roles". Note that these enhancements are only available if you are running in a Windows 2000 domain.
Step 1: Install and Configure Components
Read Chapter 4, "Using Oracle8i Directory Server Features with Active Directory" and the Oracle8i Installation Guide for Windows NT for information on pre-installation, installation, and configuration issues.
Step 2: Set the OSAUTH_X509_NAME Registry Parameter
Set the OSAUTH_X509_NAME registry parameter to enable client users to access the Oracle8i database as X.509-compliant enterprise users. This parameter is required only if you want to use enterprise users and roles.
To set the OSAUTH_X509_NAME registry parameter:
The Registry Editor window appears.
where ID is the Oracle home that you want to edit.
A String Editor dialog box appears.
The registry editor exits.
Step 3: Start and Use Oracle Enterprise Security Manager
Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains, and assign enterprise users and groups to enterprise roles.
Oracle Enterprise Security Manager is included as an integrated application with Oracle Enterprise Manager. See the Oracle Advanced Security Administrator's Guide for information on using this tool. The procedures below describe Windows-unique features for using Oracle Enterprise Security Manager in a Windows 2000 domain.
To use Oracle Enterprise Security Manager:
When you install your Oracle8i database, your Windows user name is automatically added to a Windows NT local group called ORA_DBA. The ORA_DBA local group is:
This enables you to:
There are two methods for administering external users and roles:
Both methods can also administer external users and roles in Windows 2000 domains, but cannot be used to administer enterprise users and roles. See "Administering Enterprise Users and Roles" for more information on tools available for administering enterprise users and roles.
Note:
Oracle Administration Assistant for Windows NT is a GUI tool that runs from the Microsoft Management Console. Oracle Administration Assistant for Windows NT enables you to configure the following Oracle database users and roles to be authenticated by the Windows operating system:
Oracle Administration Assistant for Windows NT eliminates the need to manually:
This section describes how to perform the following tasks with Oracle Administration Assistant for Windows NT:
When you use Oracle Administration Assistant for Windows NT for the first time, it adds the local computer in the navigation tree. You can then add other computers.
To add a computer to the Microsoft Management Console tree:
The Microsoft Management Console starts.
The Computer icon appears.
The Add Computer dialog box appears.
You can now authenticate database administrators and operators for all instances on the computer.
You can grant database administrator (SYSDBA) and database operator (SYSOPER) privileges to DBAs for all databases on a computer.
To grant privileges for all databases on a computer:
Oracle Administration Assistant for Windows NT starts.
If You Want to Grant... | Then... |
---|---|
Database administrator (SYSDBA) privileges |
|
Database operator (SYSOPER) privileges |
|
To grant administrator (SYSDBA) privileges for all databases on a computer:
The OS Database Administrators - Computer for hostname dialog box appears:
The user now appears in the OS Database Administrators - Computer window.
To grant operator (SYSOPER) privileges for all databases on a computer:
The OS Database Operators - Computer for hostname dialog box appears:
The user now appears in the OS Database Operators - Computer window.
Once you connect to a database, you can perform additional authentication tasks:
To connect to a database:
If you connect to the Oracle database, the following Windows NT nodes appear beneath the instance. If these nodes do not appear, double-click the instance.
This Node... | Enables You To... | For More Information... |
---|---|---|
External OS Users |
Authenticate a Windows NT user to access the Oracle database as an external user without being prompted for a password. External users are typically regular database users (non-database administrators) to which you assign standard database roles (such as CONNECT and RESOURCE), but do not want to assign SYSDBA (database administrator) or SYSOPER (database operator) privileges. |
See "Creating a Nonprivileged Database User (External User)" |
Local Roles |
Create a role and have it managed by the database. Once a local role is created, you can grant or revoke that role to a database user. |
|
External OS Roles |
Create an external role and have it managed by the Windows operating system. Once an external role is created, you can grant or revoke that role to a database user. |
|
OS Database Administrators |
Authenticate a Windows NT user with SYSDBA privileges for a specific instance on a computer. |
See "Granting Administrator and Operator Privileges for a Single Database" |
OS Database Operators |
Authenticate a Windows NT user with SYSOPER privileges for a specific instance on a computer. |
See "Granting Administrator and Operator Privileges for a Single Database" |
When connecting to a local computer, Oracle Administration Assistant for Windows NT first tries to connect as a SYSDBA to the database using the Bequeath networking protocol. When connecting to a remote computer, Oracle Administration Assistant for Windows NT tries to connect using Windows native authentication as a SYSDBA to the database using the TCP/IP networking protocol (port 1521 and 1526). If it is unsuccessful, the following dialog boxes appear and prompt you to enter information to connect to the database:
To view database authentication parameter settings:
Parameter | Description |
---|---|
OS_AUTHENT_PREFIX |
OS_AUTHENT_PREFIX is an INIT.ORA file parameter that authenticates external users attempting to connect to the Oracle database with the user's Windows NT user name and password. The value of this parameter is attached to the beginning of every user's Windows user name. By default, the parameter is set to none ("") during Oracle8i database creation. Create Oracle users in the database without the prefix OPS$, which was needed for Oracle7 and Oracle8 8.0.x. Therefore, a Windows domain user name of FRANK is authenticated as user name FRANK. You can set this parameter to an appropriate value. For example, if you set this parameter to XYZ, the Windows NT domain user FRANK is authenticated as user XYZFRANK. |
OS_ROLES |
OS_ROLES is an INIT.ORA file parameter that, if set to TRUE, enables the Windows NT operating system to manage the authorization of external roles for database users. By default, OS_ROLES is set to FALSE. You must set OS_ROLES to TRUE and restart your Oracle database before you can create external roles. If OS_ROLES is set to FALSE, the Oracle database manages the granting and revoking of roles for database users. See section "Understanding the OS_ROLES Parameter" for more information. |
OS_ROLES is a parameter in the INIT.ORA file that, if set to TRUE, enables the Windows NT operating system to manage the authorization of external roles for database users. You must set OS_ROLES to TRUE and restart your Oracle database before you can create external roles.
If OS_ROLES is set to FALSE, the Oracle database manages the granting and revoking of roles for database users.
If OS_ROLES is set to TRUE and you assign an external role to an NT global group, it is granted only at the global group level, and not at the level of the individual user in this global group. This means that you cannot revoke or edit the external role assigned to an individual user in this global group through the Roles tab of the Domain\User Name Properties dialog box at a later time. Instead, you must use the Assign External OS Roles to an NT Global Group field in the dialog box to revoke the external role from this global group (and therefore all its individual users).
External roles assigned to an individual domain user or local roles (with OS_ROLES set to FALSE) assigned to an individual domain user or NT global group are not affected by this issue, and can be edited or revoked.
If OS_ROLES is set to TRUE, you can not grant local roles in the database to any database user. You must grant the roles through Windows NT. See "Creating a Local Database Role" and "Creating an External Role" for more information.
You can create a nonprivileged database user (external user).
To create a nonprivileged database user:
The Create External OS User Wizard starts:
The user now appears in the New External OS Users window.
The assigned properties appear.
You can create a local database role.
To create a local database role:
The Create Local Role wizard appears:
The Granted System Privileges field displays the list of system privileges granted to the local role. To revoke a system privilege, make an appropriate selection, then click Revoke.
The Granted Roles field displays the list of roles granted to the role. Both local roles and external roles can appear in this list. To revoke roles, make appropriate selections, then click Revoke.
You can create external roles.
To create an external role:
The Granted Roles field displays the list of roles granted to the external role.
You can grant database administrator (SYSDBA) and database operator (SYSOPER) privileges to DBAs for a single database on a computer.
To grant privileges for a single database:
Several icons, including OS Database Administrators and OS Database Operators, appear:
If You Want to Grant... | Then... |
---|---|
Database administrator (SYSDBA) privileges |
|
Database operator (SYSOPER) privileges |
|
To grant administrator (SYSDBA) privileges for a single database:
The OS Database Administrators for instance dialog box (MARK in this example) appears:
To grant operator (SYSOPER) privileges for a single database:
The OS Database Operators for instance dialog box (MARK in this example) appears:
The user now appears in the OS Database Operators window.
Manual configuration involves using Oracle command line tools, editing the registry with REGEDT32, and creating local groups in Windows NT User Manager. This enables you to:
This section describes:
This section describes how to authenticate nonprivileged database users (nondatabase administrators) using Windows NT so that a password is not required when accessing the database. When you use Windows NT to authenticate nonprivileged database users, your database relies solely on Windows NT to restrict access to database user names. In the steps below, the following Windows NT user names are authenticated:
The local and domain user name FRANK and the domain SALES are used in the steps below. Substitute the appropriate local and domain user name and domain name for your environment.
Follow the steps below to connect without a password as a nonprivileged database user:
To perform authentication tasks on an Oracle8i database server:
The OS_AUTHENT_PREFIX value is prefixed to local or domain user names attempting to connect to the server with the user's operating system name and password. The prefixed user name is compared with the Oracle user names in the database when a connection request is attempted. Using the OS_AUTHENT_PREFIX parameter with Windows native authentication methods is the recommended method for performing secure, trusted client connections to your server.
The parameter value XYZ is used in the steps below. Substitute XYZ with the value you set for OS_AUTHENT_PREFIX.
C:\> REGEDT32
The Add Value dialog box appears:
The String Editor dialog box appears:
TRUE enables the server to differentiate between multiple FRANK user names, whether they are local user FRANK, domain user FRANK on SALES, or domain user FRANK on another domain in your network. Entering FALSE causes the domain to be ignored and local user FRANK to become the default value of the operating system user returned to the server.
The Registry Editor adds the parameter.
The registry exits.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT Enter user-name: SYSTEM/PASSWORD
Unless you have changed it, the SYSTEM password is MANAGER by default.
If Authenticating a... | Then Enter... |
---|---|
Local user name |
|
Domain user name |
|
If Authenticating a... | Then Enter... |
---|---|
Local user name |
|
|
|
Domain user name1 |
|
|
|
1
Enter the syntax for domain users in uppercase and with double quotes around the domain user name. |
SQL> CONNECT INTERNAL
SQL> SHUTDOWN
SQL> STARTUP
This causes the change to the OS_AUTHENT_PREFIX parameter value to take affect.
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT /@NET_SERVICE_NAME
where NET_SERVICE_NAME is the Net8 network service name for the Oracle8i database that you created in Step 3.
The Oracle8i database searches the data dictionary for an automatic login user name corresponding to the Windows NT local or domain user name, verifies it, and allows you to connect as XYZFRANK or XYZSALES\FRANK.
SQL> SELECT * FROM USER_ROLE_PRIVS;
which outputs for local user FRANK:
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZFRANK CONNECT NO YES NO XYZFRANK RESOURCE NO YES NO 2 rows selected.
or, for domain user FRANK:
USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- XYZSALES\FRANK CONNECT NO YES NO XYZSALES\FRANK RESOURCE NO YES NO 2 rows selected.
As the Oracle8i user name is the whole name XYZFRANK or XYZSALES\FRANK, all objects created by XYZFRANK or XYZSALES\FRANK (that is, tables, views, indexes, and so on) are prefixed by this name. For another user to reference the table SHARK owned by XYZFRANK, for example, the user must enter:
SQL> SELECT * FROM XYZFRANK.SHARK
This section describes how to enable Windows NT to grant the database administrator (SYSDBA) and database operator (SYSOPER) privileges to DBAs. This enables DBAs to issue the following commands from a client computer and connect to the Oracle8i database without entering a password:
To enable this feature, the Windows NT local or domain user name of the client must belong to one of the following four Windows NT local groups on the server:
Local Group | This Local Group Includes All... |
---|---|
ORA_OPER |
SYSOPER database privileges; applicable for all databases on a computer. |
ORA_DBA 1 |
SYSDBA database privileges; applicable for all databases on a computer. |
ORA_SID_DBA |
SYSDBA database privileges; applicable only for a single database on a computer (identified by the SID). |
ORA_SID_OPER |
SYSOPER database privileges; applicable only for a single database on a computer (identified by the SID). |
1
ORA_DBA is automatically created during installation. See section "Automatically Enabling Operating System Authentication During Installation" for information. |
The SYSOPER and SYSDBA privileges are mapped to the following Windows NT local groups:
This Privilege... | Maps to the Local Group... |
---|---|
SYSOPER |
ORA_SID_OPER, ORA_OPER |
SYSDBA |
ORA_SID_DBA, ORA_DBA, ORA_SID_OPER, ORA_OPER |
Follow the steps below to connect as SYSOPER or SYSDBA without a password:
To perform authentication tasks on the Oracle8i database server:
The New Local Group dialog box appears.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME
where NET_SERVICE_NAME is the Net8 network service name for the Oracle8i database that you created in Step 3.
If The Local Group Is... | Then Enter... |
---|---|
ORA_DBA or ORA_SID_DBA |
|
|
or |
|
|
ORA_OPER or ORA_SID_OPER |
|
You are connected to the Windows NT server. If you connect with SYSDBA, you are given DBA privileges.
This section describes how to connect as INTERNAL without a password. If you installed your Oracle8i database, your Windows NT user name was automatically added to a Windows NT local group called ORA_DBA. This enables you to automatically connect as INTERNAL without a password. However, if you or the user to which to assign this feature did not install your Oracle8i database, then you must follow the instructions in this section.
To connect as INTERNAL without a password, you must create one of the following new local Windows NT user groups and add a Windows NT operating system local or domain user to that group.
Local Group | This Local Group Includes All... |
---|---|
ORA_DBA 1 |
SYSDBA database privileges. This group is applicable for all SIDs. |
ORA_SID_DBA |
SYSDBA database privileges. This group is applicable only for the SID specified in the name. |
1
ORA_DBA is automatically created during installation. See section "Automatically Enabling Operating System Authentication During Installation" for information. |
This enables you to log into a local computer or a Windows NT domain. In the domain, your Oracle8i database is just one of many resources to which you have access. Once you access this domain, you are automatically validated as an authorized DBA who can access the Oracle8i database without a password.
Follow the steps below to connect as INTERNAL without a password:
To perform authentication tasks on the Oracle8i database server:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
The New Local Group dialog box appears.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME
where NET_SERVICE_NAME is the Net8 network service name for the Oracle8i database that you created in Step 3.
SQL> CONNECT INTERNAL
You are connected to the Windows NT server.
This section describes how to grant Oracle8i database roles to users directly through Windows NT (known as external roles). When you use Windows NT to authenticate users, Windows NT local groups can grant these users external roles. Through User Manager, you can create, grant, or revoke external roles to users.
All privileges for these roles are active when the user connects. When using external roles, all roles are granted and managed through the operating system. You cannot use both external roles and Oracle roles at the same time. For example:
If You... | Then... |
---|---|
You only receive the roles granted to DTMSDOM\FRANK, and not the roles granted to SCOTT. |
|
|
Follow the steps below to grant external roles with Windows NT:
To perform authentication tasks on the Oracle8i database server:
The default setting for this parameter is FALSE.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> CONNECT INTERNAL
SQL> CREATE ROLE DBSALES3 IDENTIFIED EXTERNALLY;
where DBSALES3 is the name of the role for these steps. Substitute a role name appropriate to your database environment.
SQL> GRANT DBA TO DBSALES3 WITH ADMIN OPTION; SQL> GRANT RESOURCE TO DBSALES3 WITH ADMIN OPTION; SQL> GRANT CONNECT TO DBSALES3 WITH ADMIN OPTION;
SQL> CONNECT INTERNAL
SQL> SHUTDOWN
SQL> STARTUP
The New Local Group dialog box appears:
ORA_SID_ROLENAME [_D] [_A]
where:
For this example, ORA_ORCL_DBSALES3_D is entered.
The Add Users and Groups dialog box appears:
Your selection is added to the Members field of the New Local Group dialog box:
You can convert additional database roles to several possible Windows NT groups, as shown in the following table. Then, users connecting to the ORCL instance in this example and authenticated by Windows NT as members of these Windows NT local groups have the privileges associated with DBSALES3 and DBSALES4 by default (because of the _D option). DBSALES1 and DBSALES2 are available for use by the user if they first connect as members of DBSALES3 or DBSALES4 and use the SET ROLE command. If a user tries to connect with DBSALES1 or DBSALES2_A without first connecting with a default role, they are unable to connect. Additionally, users can grant DBSALES2 and DBSALES4 to other roles.
Database Roles | Windows NT Groups |
---|---|
DBSALES1 |
ORA_ORCL_DBSALES1 |
DBSALES2 |
ORA_ORCL_DBSALES2_A |
DBSALES3 |
ORA_ORCL_DBSALES3_D |
DBSALES4 |
ORA_ORCL_DBSALES4_DA |
To perform authentication tasks on the client computer:
SQLNET.AUTHENTICATION_SERVICES = (NTS)
C:\> SQLPLUS
SQL> SET INSTANCE NET_SERVICE_NAME where NET_SERVICE_NAME is the Net8 service name for the Oracle8i database that you created in Step 3.
SQL> CONNECT SCOTT/TIGER
You are connected to the Windows NT server over Net8 with the Oracle user name SCOTT/TIGER. The roles applied to the Oracle user name SCOTT consist of all roles defined for the Windows NT user name that were mapped to the database roles above (in this case, ORA_DBSALES3_D). All roles available under an authenticated connection are determined by the Windows NT user name and the Oracle-specific Windows NT local groups to which the user belongs (for example, ORA_SID_DBSALES1 or ORA_SID_DBSALES4_DA).
Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains. Oracle Enterprise Security Manager is included as an integrated application of the Oracle Enterprise Manager Console. See the Oracle Advanced Security Administrator's Guide for more information on using Oracle Enterprise Security Manager.
Note: You can administer external users and roles in Windows 2000 domains, but you cannot use Oracle Enterprise Security Manager to perform this administration. See "Administering External Users and Roles" for more information on tools available for administering external users and roles. |
|
![]() Copyright © 2000 Oracle Corporation. All Rights Reserved. |
|