1. Cloud Control Security Guide
  2. Security Best Practices for Database Management in Enterprise Manager
  3. Database Monitoring User Access

Database Monitoring User Access

To monitor the status and performance of your database targets, Enterprise Manager connects to your database using a database user name and password. The user is referred to as the database monitoring user; the user name and password combination is referred to as the database monitoring credentials.

When you first add, provision or clone an Oracle database target, by default Enterprise Manager uses the DBSNMP database user account and the password for the DBSNMP account as the monitoring credentials.

Alternatively, you may choose to use a different user as the database monitoring user. This new user must have the same roles and privileges as DBSNMP. To create this database monitoring user, refer to MOS note EM 13c: Creating the Oracle Database Monitoring Credentials for Oracle Enterprise Manager 13.5 RU4 (and later) DocID 2847191.1

non-DBSNMP Monitoring User Availability:

  • Adding a an Oracle database: Enterprise Manager 13c Release 5 Update 4

    (13.5.0.4)

  • Database-as-a-Service: Enterprise Manager 13c Release 5 Update 8

    (13.5.0.8)

  • Oracle database provisioning (outside Exadata) and cloning: Enterprise Manager 13c Release 5 Update 8

    (13.5.0.8)

  • Oracle database provisioning for Exadata: Enterprise Manager 13c Release 5 Update 9

    (13.5.0.9)

Notes:

While discovery and monitoring of Oracle database targets works with non-DBSNMP users, there are management features that still assume DBSNMP as the database monitoring user.

These features include the following:

  • Oracle Database Benchmarks such as CIS Oracle Database 19c Benchmark include assessments for the DBSNMP user. These assessments will continue to support only the DBSNMP user, and not other database users used as monitoring credentials
  • For monitoring AVDF (Oracle Audit Vault and Database Firewall) targets, the use of non-DBSNMP users as monitoring credentials is not supported.

Monitoring with SYSDG Privileges

For security reasons, you may not want to have an administrator monitor Enterprise Manager database targets with SYSDBA privileges. Because Oracle Data Guard is commonly used by Oracle database customers, users with the SYSDG administrative privilege can also monitor Enterprise Manager database targets. Any SYSDG database monitoring user can discover/monitor both Primary and Standby databases.

Note:

Users with SYSDG privilege can connect to the database even when it is not open.

You can log in with the SYSDG administrative privileges to perform Data Guard operations. You can use this privilege with either Data Guard Broker or the DGMGRL command-line interface. See Oracle Data Guard Command-Line Interface Reference for more information. In order to connect to the database as SYSDG using a password, you must create a password file for it.

Beginning with Enterprise Manager 13c Release 5 Update 8, the SYSDG role can be assigned by the database administrator or Enterprise Manager Super Administrator when creating Named/Preferred Credentials directly from the Enterprise Manager console. The SYSDG role appears as one of the selectable role options (in addition to Normal and SYSDBA).

See Named Credentials or Preferred Credentials for information on these credential types.

SYSDG Limitations

Note that there are differences between SYSDG and DBSNMP users during discovery. When target database discovery is initiated by an Enterprise Administrator with SYSDG privileges, the following happens:

  • Target database allows database connection for the database monitoring user, but switches the user context to the official (built-in) Data Guard SYSDG user.
  • However, the Enterprise Manager database monitoring user remains unchanged--SYSDG-enabled, DBSNMP or non-DBSNMP - but not SYSDG.

These differences have privilege implications in that the SYSDG-enabled user may not have the sufficient privileges to perform a specific task. For example, when an Enterprise Manager user connects to a target database as the database monitoring user in SYSDG role and attempts to execute SQL scripts to create any database objects, these objects are created using the built-in SYSDG user context.

For more information about Oracle Data Guard, see Oracle Data Guard: Concepts and Administration.