1. Cloud Control Security Guide
  2. Security Best Practices for Database Management in Enterprise Manager
  3. Flexible Database Access Control
  4. Pluggable Database Administrator Access

Pluggable Database Administrator Access

The pluggable database administrator has access limited to the pluggable database. These steps are a best practice recommendation on how to create a Pluggable Database Administrator.

Creating a Pluggable Database Administrator Account

To create a pluggable database administrator account:

  1. From the Setup menu, select Security, then select Administrators. The Administrators page is displayed.
  2. Click Create, type the Administrator name and password. Click Next.
  3. On the Create Administrator <Name>: Roles page add the EM_USER and PUBLIC roles.
  4. On the Privileges page grant the following privileges:
    • Privileges applicable to all targets: Connect to any viewable target
    • Target Privilege: For the PDB to be managed, click Manage Target Privilege Grants to Full
    • Resource Privileges:
      • Job System with Create
      • Manage View Access
      • Named Credential for the PDB administrator
    • Database Privileges Required:
      • SELECT ANY DICTIONARY
      • SELECT CATALOG ROLE
      • EXECUTE ON DBMS_WORKLOAD_REPOSITORY

Granting Pluggable Database Administrator Database Privileges

Database privileges must be granted by the CDB administrator for the required PDB user. These privileges will be reflected as a Named Credential.

  1. Login as the CDB administrator.
  2. Grant the following privileges to the new PDB user:
    SQL> GRANT SELECT ANY DICTIONARY TO <PDB_USER>
SQL> GRANT SELECT CATALOG ROLE TO <PDB_USER>
SQL> GRANT EXECUTE ON DBMS_WORKLOAD_REPOSITORY TO <PDB_USER>

Creating Named Credentials

A PDB administrator can not create their own named credentials. To create one, a super administrator (or a privileged Administrator with the system resource privilege) needs to create and then grant the named credential to the PDBA. The named credential is granted the View privilege on the named credential so that the PDBA does not know or see the contents of the named credential.

To create a named credential:

  1. From the main menu, select Setup, then select Security, finally click Named Credential.
  2. Click Create.
  3. In Target Type, select Pluggable Database and in Target Name select the PDB name.
  4. In Access Control, select the PDB administrator that was created for this named credential. Grant View privileges.
  5. Click Save.

Note:

The PDB administrator has to be created in the target PDB by the CDB administrator and have the required database privileges granted as applicable.