Administrative Groups

An identity management realm contains administrative groups related to Enterprise User Security. Figure 1-3 shows these administrative groups in a realm in the triangle labeled "Groups." Each administrative group includes Access Control Lists (ACLs) that control access to the group itself. ACLs elsewhere in the directory may refer to these groups, which allows directory administrators access to perform necessary administrative tasks. The administrative user who creates the realm automatically becomes the first member of each of these groups, thus gaining the associated privileges provided by each group. However, this user can be removed.

The relevant administrative groups in a realm are described in Table 1-2.

Note:

Observe the following practices. Using other methods may break the security configuration for Enterprise User Security objects and may break enterprise user functionality as well.

Do not modify the ACLs for the objects contained in a realm Oracle Context. Modified realm Oracle Context object ACLs are not supported.
Use only Oracle tools, such as Oracle Enterprise Manager, Oracle Internet Directory Self-Service Console, and Database Configuration Assistant, to modify Enterprise User Security directory entries.

Table 1-2 Administrative Groups in a Realm Oracle Context

Administrative Group	Description
OracleContextAdmins	DN: (`cn=OracleContextAdmins,cn=Groups,cn=OracleContext`...) Default owner: The user who created the identity management realm. (If it is the realm created during installation, then it is `orcladmin`.) OracleContextAdmins has full access to all groups and entries within the associated realm Oracle Context.
OracleDBAdmins	DN: (`cn=OracleDBAdmins,cn=<database_entry_name>,cn=OracleContext`...) Default owner: None. Database Configuration Assistant automatically makes the user who registers a database in the directory a member of this group. Members of this group manage user-schema mappings specific to this database. Only users who are already members of this group or OracleContextAdmins can add or remove users from the OracleDBAdmins group.
OracleDBCreators	DN: `(cn=OracleDBCreators,cn=OracleContext`...`)` Default owner: OracleContextAdmins During default realm Oracle Context creation, Oracle Internet Directory Configuration Assistant sets up the following access rights/permissions for these group members: `Add` permission for database service objects in the realm Oracle Context `Modify` permission for the Default Domain OracleDBCreators create new databases and register them in the directory by using Database Configuration Assistant
OracleDBSecurityAdmins	DN: (`cn=OracleDBSecurityAdmins,cn=OracleContext`...) Default owner: All group members. During default realm Oracle Context creation, Oracle Internet Directory Configuration Assistant sets up the following access rights/permissions for these group members: All privileges in the OracleDBSecurity subtree Modify privileges for membership in this group OracleDBSecurityAdmins have permissions on all of the domains in the enterprise and perform the following tasks: Sets Enterprise User Security configurations for the realm, such as the default database-to-directory authentication method Group owner administers the OracleDBSecurityAdmins group Creates and deletes enterprise domains Moves databases from one domain to another within the enterprise
OracleDomainAdmins	DN: (`cn=OracleDomainAdmins,cn=<enterprise_domain_name>,` `cn=OracleDBSecurity,cn=Products,cn=OracleContext....`) Default owner: The user creating or updating the domain. If a new context and OracleDefaultDomain are created, then the initial member will be the context creator. Members of the OracleDomainAdmins group have full privileges for the enterprise domain. They manage mappings, enterprise roles, and proxy permissions specific to the entire domain. You should be a member of OracleDomainAdmins (for the domain), OracleDBSecurityAdmins, or OracleContextAdmins to modify membership of this group.
OracleUserSecurityAdmins	DN: (`cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext`...) Default owner: The user who created the identity management realm. By default, an ACL is set at the directory root in Oracle Internet Directory that sets up the relevant permissions so OracleSecurityAdmins can administer Oracle user security.
OraclePasswordAccessibleDomains	DN: (`cn=OraclePasswordAccessibleDomains,cn=Groups,cn=OracleContext`...) Default owner: Same as OracleDBSecurityAdmins Group members are enterprise domains, which contain databases enabled for password-authorized enterprise users.