5 Administering Enterprise User Security
5.1 Administering Identity Management Realms
An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. A realm Oracle Context is a subtree in a directory identity management realm that contains the data used by any installed Oracle product that uses the directory.
You can set properties of an identity management realm using Oracle Internet Directory tools like the Oracle Internet Directory Self-Service Console.
The Oracle Enterprise Manager Web interface enables you to manage Enterprise User Security related entries in an identity management realm.
Note:
Do not create users within a realm Oracle Context.
See Also:
-
"How Oracle Internet Directory Implements Identity Management" for a discussion about identity management realms and realm Oracle Contexts and how they are related to one another
-
"About Enterprise User Security Directory Entries" for a discussion on the Oracle Internet Directory entries that are used for Enterprise User Security
5.1.1 Identity Management Realm Versions
Enterprise User Security can only use an identity management realm supplied by Oracle Internet Directory 10g (9.0.4), or later, which ships with Oracle Application Server 10g (9.0.4), or later.
You can manage Enterprise User Security directory entries in a version 9.0.4 (or later) identity management realm by using Oracle Enterprise Manager for Oracle Database.
5.1.2 Setting Properties of an Identity Management Realm
An identity management realm has a number of properties that can be viewed and managed by using Oracle Internet Directory tools like the Oracle Internet Directory Self-Service Console. These properties are described in Table 5-1.
Table 5-1 Identity Management Realm Properties
Property | Description |
---|---|
Attribute for Login Name |
Name of the directory attribute used to store login names. By default, login names are stored in the |
Attribute for Kerberos Principal Name |
Name of the directory attribute used to store Kerberos principal names. By default, Kerberos principal names are stored in the |
User Search Base |
Full distinguished name (DN) for the node at which enterprise users are stored in the directory. |
Group Search Base |
Full DN for the node at which user groups are stored for this identity management realm in the directory. |
Version Compatibility |
This property is no longer used. However, you should ensure that it is not set to |
Note:
Each identity management realm includes an orcladmin
user who is the root user of that realm only. These realm-specific orcladmin
users are represented by the directory entries cn=orcladmin,cn=Users,
realm_DN
. Note that when you are logged in to Enterprise User Security administration tools as a realm-specific orcladmin
user, then you can manage only directory objects for that realm. To manage objects in another realm, you must log in to administration tools as the orcladmin
user for that realm.
This sections includes the following topic: Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes.
5.1.2.1 Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes
Setting these identity management realm attributes enables the database to locate Enterprise User Security entries.
To set Login Name, Kerberos Principal Name, User Search Base, and Group Search Base identity management realm attributes:
See Also:
Oracle Identity Management Guide to Delegated Administration for detailed information on using the Oracle Internet Directory Self-Service Console
5.1.3 Setting the Default Database-to-Directory Authentication Type for an Identity Management Realm
The initial value for the LDAP_DIRECTORY_ACCESS
parameter is picked from the default database-to-directory authentication attribute setting at the realm level. This parameter is set on individual databases when they are registered in Oracle Internet Directory.
The Oracle Enterprise Manager interface enables you to set the authentication mechanism that the database uses to authenticate to Oracle Internet Directory. The authentication mechanism can be set to password or SSL.
To set the default database-to-directory authentication type for an identity management realm:
5.1.4 Managing Identity Management Realm Administrators
An identity management realm contains administrative groups that have varying levels of privileges. The administrative groups for an identity management realm, which pertain to Enterprise User Security, are defined in Table 5-2. For more information about these groups, see "Administrative Groups".
Table 5-2 Enterprise User Security Identity Management Realm Administrators
Administrative Group | Definition |
---|---|
Oracle Database Registration Administrators (OracleDBCreators) |
Registers new databases in the realm. |
Oracle Database Security Administrators (OracleDBSecurityAdmins) |
Has all privileges on the OracleDBSecurity directory subtree. Creates, modifies, and can read all Enterprise User Security directory objects. |
Oracle Context Administrators (OracleContextAdmins) |
Has full access to all groups and entries within its associated realm. |
User Security Administrators (OracleUserSecurityAdmins) |
Has relevant permissions necessary to administer security aspects for enterprise users in the directory. For example, OracleUserSecurityAdmins can modify user passwords. |
To manage identity management realm administrators:
5.2 Administering Enterprise Users
5.2.1 Creating New Enterprise Users
You can use Oracle Internet Directory tools like the Oracle Internet Directory Self-Service Console to create users in the directory.
Note:
Before creating new enterprise users, you must first define the user search base in the directory and also verify the user create base. See "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes"
To create new enterprise users:
Note:
Note that if your users are authenticated to the database by using Kerberos credentials, and the krbPrincipalName
attribute is not there, then see "Task 1: Configure Oracle Internet Directory Self-Service Console to display the Kerberos principal name attribute" for information about how to configure this.
5.2.2 Setting Enterprise User Passwords
You can use Oracle Internet Directory Self-Service Console to set and maintain enterprise user passwords in Oracle Internet Directory.
The enterprise user password is used for:
-
Directory logon
-
Database logon, to databases that support password authentication for global users
To set the password for an enterprise user:
5.2.3 Granting Enterprise Roles to Enterprise Users
Enterprise roles are directory objects that allow you to group global roles from various databases. You can assign enterprise roles to enterprise users, which gives them privileges across enterprise databases.
To grant enterprise roles to enterprise users:
5.2.4 Granting Proxy Permissions to Enterprise Users
Proxy permissions allow an enterprise user to proxy a local database user, which means that the enterprise user can log in to the database as the local database user. You can grant proxy permissions to individual users or groups. Proxy permissions are especially useful for middle tier applications that operate across multiple databases as enterprise users.
Proxy permissions are created at the enterprise domain level. After creating a proxy permission for an enterprise domain, you can grant it to an enterprise user.
To grant proxy permissions to enterprise users:
5.2.5 Creating User-Schema Mappings for Enterprise Users
A user-schema mapping maps an enterprise user to a global database schema. When the enterprise user logs in to the database, he is connected to the mapped schema, by default.
To create a user-schema mapping:
5.2.6 Creating Label Authorizations for Enterprise Users
An Oracle Label Security (OLS) policy stored in the directory can have multiple profiles associated with it. Each profile is a set of policy authorizations and privileges. These policy authorizations and privileges apply to all enterprise users who belong to the profile. You can assign a profile to an enterprise user.
To assign label authorizations to an enterprise user:
5.3 Configuring User-Defined Enterprise Groups
User-defined enterprise groups help group together enterprise users that require the same roles or privileges across enterprise databases. Enterprise groups are stored in the directory.
This section includes the following topic: Granting Enterprise Roles to User-Defined Enterprise Groups.
5.3.1 Granting Enterprise Roles to User-Defined Enterprise Groups
Enterprise roles are directory objects that allow you to group global roles from various databases. You can assign an enterprise role to an enterprise group, which gives the group members privileges across enterprise databases.
To grant an enterprise role to an enterprise group:
5.4 Configuring Databases for Enterprise User Security
Enterprise User Security for databases registered with Oracle Internet Directory can be configured using Enterprise Manager. You can map users or subtrees to database schemas. You can also configure administrators in the directory that can modify schema mappings and enterprise domain membership of the database.
5.4.1 Creating User-Schema Mappings for a Database
A user-schema mapping maps an enterprise user to a global schema in the database. When the enterprise user logs in to the database, he is connected to the mapped schema, by default.
To create a user-schema mapping:
5.5 Administering Enterprise Domains
Enterprise Domains are groups of databases that can share enterprise roles, proxy permissions, user-schema mappings, current user database links, and permitted authentication mechanisms. A database can belong to only one enterprise domain.
An enterprise domain can be thought of as an administrative domain, administered by the Domain Admins group for that domain. These administrators can add databases to the enterprise domain.
An identity management realm contains an enterprise domain called OracleDefaultDomain
. OracleDefaultDomain
is part of the realm when it is first created in the directory. When a new database is registered into a realm, it automatically becomes a member of OracleDefaultDomain
in that realm. You can create and remove your own enterprise domains, but you must not remove OracleDefaultDomain
from a realm.
5.5.1 Creating an Enterprise Domain
An enterprise domain is an administrative domain of databases that can share enterprise roles, proxy permissions, user-schema mappings, current user database links, and permitted authentication mechanisms.
If you do not want to use OracleDefaultDomain
, then you can create a new enterprise domain in your identity management realm.
To create an enterprise domain:
5.5.2 Adding Databases to an Enterprise Domain
A member of the Domain Admins group can add databases to the enterprise domain. You can add databases to an enterprise domain from the Configure Domain page. You can also add databases from the Create Domain page, if you are creating a new enterprise domain.
Note:
The following restrictions apply to adding databases to an enterprise domain:
-
You can add a database to an enterprise domain only if both the database and the enterprise domain exist in the same realm.
-
A database cannot be added as a member of two different enterprise domains.
To add databases to an enterprise domain:
5.5.3 Creating User-Schema Mappings for an Enterprise Domain
A user-schema mapping maps an enterprise user to a global schema in the database. When the enterprise user logs in to the database, he is connected to the mapped schema, by default.
When you create a user-schema mapping for an enterprise domain, it applies to all databases in the domain. However, for the mapping to be effective in a database, that database must have a schema with the name used in the mapping.
To create a user-schema mapping for an enterprise domain:
5.5.4 Configuring Enterprise Roles
An enterprise domain within an identity management realm can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain.
Enterprise roles allow you to group global roles from different databases that are part of the enterprise domain. Enterprise roles can be assigned to enterprise users.
To create enterprise roles:
-
Log in to Enterprise Manager Cloud Control, as an administrative user.
-
To navigate to your database, select Databases from the Targets menu.
-
Click the database name in the list that appears. The database page appears.
-
Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.
-
Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.
The Enterprise User Security page appears.
-
Click Manage Enterprise Domains.
The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.
-
Select the enterprise domain that you wish to configure. Click Configure.
The Configure Domain page appears.
-
Click the Enterprise Roles tab.
-
Click Create to create a new enterprise role.
The Create Enterprise Role page appears.
-
Enter a name for the enterprise role in the Name field. Click Continue.
The new role is displayed in the Configure Domain page.
Next, you can configure the enterprise role that you just created. Configuring an enterprise role includes adding database global roles to the enterprise role and assigning the enterprise role to enterprise users or groups.
To add database global roles to the enterprise role:
-
Select the enterprise role that you just created in the Configure Domain page. Click Edit.
The Edit Enterprise Role page is displayed.
-
Make sure that the DB Global Roles tab is selected. Click Add to add global roles from databases that are part of the enterprise domain.
The Search and Select Database Global Roles page appears.
-
Select the Database that contains the global roles you wish to add. Log in to the selected database by supplying a User Name and Password. Click Go.
-
Select the global roles to add. Click Select.
The selected roles appear in the Edit Enterprise Role page.
-
Repeat Steps 2 to 4 for the other databases.
You can now assign the enterprise role to enterprise users or groups.
To assign the enterprise role to enterprise users or groups:
5.5.5 Configuring Proxy Permissions
Proxy permissions are created at the enterprise domain level. Proxy permissions allow an enterprise user to proxy a local database user, which means that the enterprise user can log in to the database as the local database user. You can grant proxy permissions to individual enterprise users or groups. Proxy permissions are especially useful for middle tier applications that operate across multiple databases as enterprise users.
To create a proxy permission for an enterprise domain:
-
Log in to Enterprise Manager Cloud Control, as an administrative user.
-
To navigate to your database, select Databases from the Targets menu.
-
Click the database name in the list that appears. The database page appears.
-
Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.
-
Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.
The Enterprise User Security page appears.
-
Click Manage Enterprise Domains.
The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.
-
Select the enterprise domain that you wish to configure. Click Configure.
The Configure Domain page appears.
-
Click the Proxy Permissions tab.
-
Click Create to create a new proxy permission.
The Create Proxy Permission page appears.
-
Enter the name for the proxy permission in the Name field. Click Continue.
The proxy permission appears in the Configure Domain page.
Next, you need to add target database users for the permission. You also need to grant the permission to enterprise users or groups, who can then proxy the target database users.
To add target database users for the proxy permission:
-
Select the proxy permission that you just created in the Configure Domain page. Click Edit.
The Edit Proxy Permissions page appears.
-
Ensure that the Target DB Users tab is selected. Click Add.
The Search and Select window appears. A list of all database users that have been altered to allow enterprise user proxy is displayed.
-
Select the target database users that you wish to proxy. Click Select.
You can now grant the proxy permission to enterprise users or groups.
To grant the proxy permission to an enterprise user or group:
5.5.6 Configuring User Authentication Types and Enabling Current User Database Links
Enterprise users can be authenticated using password authentication, SSL authentication, or Kerberos authentication. You can set the authentication modes that are allowed for an enterprise domain using Enterprise Manager. You can also enable current user database links for databases in the enterprise domain. These links enable databases to trust each other to authenticate users.
To configure user authentication types and enable current user database links:
5.5.7 Configuring Domain Administrators
Domain administrators have full privileges in the domain. They can add or remove databases to the domain, create user-schema mappings, manage proxy permissions and modify domain configuration settings. You can add or remove domain administrators from Enterprise Manager.
To add an enterprise domain administrator: