4.2 User Authentication and Authorization
The Oracle Graph server (PGX) uses an Oracle Database as identity manager. Both username and password based as well as Kerberos based authentication is supported.
The actions that you are allowed to do on the graph server are determined by the privileges enabled by roles that have been granted to you in the Oracle Database.
- Privileges and Roles in Oracle Database
All database users that work with graphs require theCREATE SESSION
privilege in the database. - Basic Steps for Using an Oracle Database for Authentication
You can follow the steps explained in this section to authenticate users to the graph server (PGX). - Prepare the Graph Server for Database Authentication
Locate thepgx.conf
file of your installation. - Connect to the Server from JShell with Database Authentication
You can use the JShell client to connect to the server in remote mode, using database authentication. - Read Data from the Database
Once logged in, you can now read data from the database into the graph server without specifying any connection information in the graph configuration. - Store the Database Password in a Keystore
- Token Expiration
By default, tokens are valid for 1 hour. - Advanced Access Configuration
You can customize the following fields inside thepgx_realm
block in thepgx.conf
file to customize login behavior. - Revoking Access to the Graph Server
To revoke a user's ability to access the graph server, either drop the user from the database or revoke the corresponding roles from the user, depending on how you defined the access rules in your pgx.conf file. - Examples of Custom Authorization Rules
You can define custom authorization rules for developers. - Kerberos Enabled Authentication
The graph server (PGX) can authenticate users using an Oracle Database with Kerberos enabled as identity provider.
Parent topic: Using the In-Memory Graph Server (PGX)