14.3 Prerequisites for Establishing a Local Security Context
For environments bypassing centralized IAM in favor of local user management, perform the following configuration tasks. These tasks ensure the database can successfully bind a local end-user security context to an active session.
Review the deployment scenario that matches your environment.
Local application users connecting through an application
If your application manages users in its own user store and those users connect through the application, complete the following steps to establish a security context for their sessions. The application user is identified by a user name and a security context lookup key supplied by the application.
- Configure the database for application sessions
For detailed Oracle AI Database configuration instructions, see Set Up Local Authentication for Application-Mediated Connections.
- Configure the application
In your application, use an Oracle client driver (such as JDBC, Python, or ODP.NET) to build and transmit the
EndUserSecurityContextobject (with user name and lookup key) on each database call. The following JDBC example illustrates a local security context payload attachment:EndUserSecurityContext securityContext = EndUserSecurityContext.createWithUsername(DB_ACCESS_TOKEN, username, lookup_key) .withAttributes(ctxAttrs);
Note:
Data roles cannot be provided in an end-user security context payload with end user's name and lookup key.For additional application configuration details, such as connection properties and settings, see Update Application Configuration with IAM Details.
Local end users connecting directly (password authentication)
For environments where local end users establish direct database sessions through a SQL client and credential-based authentication, perform the following configuration tasks.
- Configure the database
For detailed Oracle AI Database configuration instructions, see Set Up Local Authentication for Direct Logon.
- Create end-user context definitions (optional)
Additionally, if your data grants rely on custom end-user context attributes, make sure you create the corresponding end-user context definitions. See Configure End-User Contexts and Attributes.