3
Administering Enterprise Users and Roles

Use Oracle Enterprise Security Manager to create and manage enterprise users, roles, and domains. Oracle Enterprise Security Manager is included as an integrated application of Oracle Enterprise Manager Console. See Oracle Advanced Security Administrator's Guide for more information on using Oracle Enterprise Security Manager.

This chapter contains these topics:

• Enterprise User Authentication
  
  
• Enterprise Role Authorization

  Note: You can administer an external user or an external role in Windows 2000 domains, but you cannot use Oracle Enterprise Security Manager to perform this administration. See Chapter 2, "Administering External Users and Roles" for more information on tools available for administering external users and roles.

Enterprise User Authentication

Enterprise users are created and managed centrally in a directory server (for example, Oracle Internet Directory or Active Directory). To allow access to multiple databases, enterprise users need to be defined in each database as an external user.

For example, assume there is an enterprise user (cn=joe,cn=users,dc=acme,dc=com) who needs access to two databases: sales and marketing. This enterprise user must be defined in both databases as an external user.

Most users typically need to access only application schemas in a database, so they usually do not need their own schemas. In Oracle9i, you can create one shared schema in the database and map multiple enterprise users in a directory server to this one shared schema with Oracle Enterprise Security Manager. This is especially useful in an Internet environment, where a number of users access an application at the same time. With a shared schema there is no need to create separate schemas for each user.

Enterprise user authentication is enabled, if you:

• Set registry parameter OSAUTH_X509_NAME to true. (See "Oracle9i Integration with Active Directory" for instructions.)
  
  
• Operate your Oracle9i database in a Windows 2000 domain.
  
  
• Use Oracle Enterprise Security Manager. If you are using shared schema you must use Oracle Enterprise Security Manager to map enterprise users to the shared schema.

The Kerberos authentication protocol is used if Windows and Oracle releases match those listed in Table 1-1, "Software Requirements to Enable Kerberos Authentication Protocol". Otherwise, NTLM is used.

Enterprise Role Authorization

An enterprise user is assigned an enterprise role; some users are assigned more than one. Enterprise roles authorization is supported with Oracle8i release 8.1.6 and later. An enterprise role is a single role created in a directory server with Oracle Enterprise Security Manager. Use Oracle Enterprise Security Manager to assign global roles and groups located on multiple databases to an enterprise role. A global role must be created individually in each Oracle9i database.

For example, as an enterprise user you can be assigned enterprise role HR (which contains global role HR user) in the human resources database. You can also be assigned global role employee in the corporate information database. If you change jobs, your enterprise role assignment is changed only in the directory, altering your privileges in multiple databases throughout the enterprise. Also, an administrator can add capabilities to enterprise roles or remove a privilege from the enterprise role without having to update each user's privileges individually.

Use enterprise roles in environments where users assigned to these roles are located in many geographic regions and must access multiple databases.

Permissions authorized to an enterprise user are authorized for the enterprise role contained in the global role.

Users can belong to Windows 2000 global groups and universal groups. These groups can be assigned to enterprise roles using Oracle Enterprise Security Manager.