Database users are typically defined in the database by using the CREATE USER statement as follows:
CREATE USER username IDENTIFIED BY password;
This creates a database user, associated with a user schema, who can access the database and be authenticated by using a password with the CONNECT command as follows:
CONNECT username@database_service_name Enter Password:
Database users must be created in each database they need to access, and they can choose a different password for each database. Database user privileges are controlled by local roles in each database.
In contrast, enterprise users are provisioned and managed centrally in an LDAP-compliant directory, such as Oracle Internet Directory, for database access. Enterprise users have a unique identity in the directory called the distinguished name (DN). When enterprise users log on to a database, the database authenticates those users by using their DN.
Enterprise users are defined in the database as global users. Global users can have their own schemas, or they can share a global schema in the databases they access. You can create enterprise users by using the GLOBALLY clause in the CREATE USER statement in two different ways.
You can specify a user's directory DN with an AS clause, which is shown in the following statement:
CREATE USER username IDENTIFIED GLOBALLY AS '<DN of directory user entry>';
In this case, they have a schema allocated exclusively to them.
Alternatively, you can specify a null string with the AS clause as the following statement shows:
CREATE USER username IDENTIFIED GLOBALLY AS '';
When you specify a null string with the AS clause, the directory maps authenticated users to the appropriate database schema. In this case, multiple users can be mapped to a shared schema based on the mapping information set up and stored in Oracle Internet Directory.
Note:
You can also use the following syntax to create a shared schema:
CREATE USER username IDENTIFIED GLOBALLY;
This is the same as specifying a null string.
When enterprise users connect over SSL to the database, they do not use a password. Instead they use the following CONNECT command, which looks up the wallet location based on information in the client's sqlnet.ora file:
CONNECT /@database_service_name
Password-authenticated enterprise users use the same CONNECT statement to connect to the database as regular database users. For example, password-authenticated enterprise users connect to the database by using the following syntax:
CONNECT username@database_service_name Enter password:
When the database receives a connection request from an enterprise user, the database refers to the directory for user authentication and authorization (role) information.
See Also:
Getting Started with Enterprise User Security for a tutorial on creating and using enterprise users
Oracle Database Security Guide for more information about global users
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about defining users in the directory