Using Enterprise Roles

Enterprise roles are created in the directory. Enterprise roles contain global roles from different databases that are part of the enterprise domain. Enterprise roles are used to assign database privileges to enterprise users.

Example 2-4 creates two enterprise users, Joe and Nina. Both these users are created in the subtree, cn=Users, dc=us,dc=oracle,dc=com, which is already mapped to the global_ident_schema_user in the EUSDB database.

Nina is an HR manager. She needs the SELECT privilege on the hr.employees table in the EUSDB database. Example 2-4 achieves this using enterprise roles.

Example 2-4 Using Enterprise Roles

We start by creating two enterprise users, Joe and Nina. You can create enterprise users using the Oracle Internet Directory Self Service Console.

To create enterprise users, Joe and Nina:

  1. Connect to the Oracle Internet Directory Self Service Console. Use the following URL:

    http://hostname:port/oiddas/

    Here, hostname is the name of the host that is running the Oracle Internet Directory server. The port number is the TCP port number on which the Oracle Internet Directory Self Service Console is running. This is 7777 by default.

    Description of the illustration getstrtd7.gif follows
    Description of the illustration getstrtd7.gif

  2. Click the Directory tab.

    The Sign In page appears.

    Description of the illustration getstrtd8.gif follows
    Description of the illustration getstrtd8.gif

  3. Log in as the user that can create users in Oracle Internet Directory.

    The User page appears.

  4. Click Create.

    The Create User page appears.

    Description of the illustration getstrtd9.gif follows
    Description of the illustration getstrtd9.gif

  5. Enter joe under User Name. Enter values for the other required fields. Select Enabled under Is Enabled.

  6. Click Submit.

  7. Click Create Another User.

    The Create User page appears.

  8. Enter Nina under User Name. Enter values for the other required fields. Select Enabled under Is Enabled.

  9. Click Submit. Click OK.

Next, we create a global role in the database that allows access to the hr.employees table. The following SQL*Plus statements create a global role, hr_access and grant the necessary privilege to it.

SQL> CREATE ROLE hr_access IDENTIFIED GLOBALLY;
Role created.
SQL> GRANT SELECT ON hr.employees TO hr_access;
Grant succeeded.

Next, we create an enterprise role called hr_access and assign the global role to it. We then assign this enterprise role to the enterprise user, Nina. The enterprise role can be created using Enterprise Manager.

To create the enterprise role, hr_access:

  1. Log in to Enterprise Manager Cloud Control, as an administrative user.

  2. To navigate to your database, select Databases from the Targets menu.

  3. Click the database name in the list that appears. The database page appears.

  4. Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.

  5. Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.

    The Enterprise User Security page appears.

  6. Click Manage Enterprise Domains.

    The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.

  7. Select the enterprise domain that contains the database. Click Configure.

    The Configure Domain page appears.

  8. Click the Enterprise Roles tab.

  9. Click Create.

    The Create Enterprise Role page appears.

  10. Enter hr_access in the Name field.

    Description of the illustration getstrtd11.gif follows
    Description of the illustration getstrtd11.gif

  11. Click Add to add the database global role to the enterprise role.

    The Search and Select Database Global Roles window is displayed.

    Description of the illustration getstrtd12.gif follows
    Description of the illustration getstrtd12.gif

  12. Select the hr_access global role in your database. Click Select.

    Note:

    You will be required to log in to the database before you can select the global role.

  13. Click the Grantees tab. Click Add.

    The Select Users or Groups window appears.

  14. Select user Nina. Click Select.

    Description of the illustration getstrtd10.gif follows
    Description of the illustration getstrtd10.gif

  15. Click Continue in the Create Enterprise Role page.

  16. Click OK in the Configure Domain page.

The enterprise user, Nina can now access the hr.employees table in the database. The following SQL*Plus statements illustrate this:

SQL> CONNECT Nina
Enter password:
Connected.
SQL> SELECT employee_id FROM hr.employees;
EMPLOYEE_ID
-----------
        100
        101
        102
...
...
107 rows selected.

The enterprise user, Joe cannot access the hr.employees table, as he does not have the enterprise role assigned to him.

SQL> CONNECT joe
Enter password:
Connected.
SQL> SELECT employee_id FROM hr.employees;
SELECT employee_id FROM hr.employees

ERROR at line 1:
ORA-00942: table or view does not exist