This is the second phase of configuration steps required to implement Enterprise User Security. The configuration steps in this section assume the following recommended setup:
You have prepared your database and your directory by completing the tasks described in "Preparing the Directory for Enterprise User Security (Phase One)".
Your users are stored in an identity management realm Users subtree.
You use the OracleDefaultDomain, which is the default enterprise domain that Database Configuration Assistant uses when you register databases in the directory.
Note that databases must be in an enterprise domain that is in an identity management realm in order for enterprise user logins to work.
See Also:
If you do not use the OracleDefaultDomain or store your users in an identity management realm Users subtree, then see the following documentation:
Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory for information about creating a new identity management realm or modifying an existing one, and for information about setting access control lists on directory objects
"Creating an Enterprise Domain" to create another domain in which to put your database. Then substitute your new domain name for OracleDefaultDomain in the following configuration steps
To configure Enterprise User Security objects in the database and directory perform the following tasks:
Although this step can also be completed by using Oracle Enterprise Manager, the following examples use SQL*Plus directly:
Create a shared schema for enterprise users. The following syntax example creates a shared schema named guest:
SQL> CREATE USER guest IDENTIFIED GLOBALLY AS '';
If you do not want to use a shared schema, then specify a user DN between the single quotation marks to create an exclusive schema.
Grant the CREATE SESSION
privilege to the shared schema created in Step 1 so users can connect to it. The following syntax example grants the CREATE SESSION
privilege to the guest shared schema:
SQL> GRANT CREATE SESSION TO guest;
Alternatively, you can grant the CREATE SESSION
privilege to a global role, which you grant to specific users through an enterprise role. See Step 3.
Create global roles for the database to hold relevant privileges. The following syntax examples create the emprole
and custrole
global roles:
SQL> CREATE ROLE emprole IDENTIFIED GLOBALLY; SQL> CREATE ROLE custrole IDENTIFIED GLOBALLY;
Global roles are associated with enterprise roles, which are created later, and then are allocated to enterprise users.
Grant privileges to the new global roles that were created in Step 3. The following syntax example grants the SELECT
privilege to emprole
and custrole
global roles on the products table:
SQL> GRANT select ON products TO custrole, emprole;
See Also:
Oracle Database SQL Language Reference for information about the syntax used for these steps
Use Enterprise Manager to configure user-schema mappings for the OracleDefaultDomain by using the following steps:
Log in to Enterprise Manager Cloud Control, as an administrative user.
To navigate to your database, select Databases from the Targets menu.
Click the database name in the list that appears. The database page appears.
Under the Administration menu, select Security, Enterprise User Security. The Oracle Internet Directory Login page appears.
Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.
The Enterprise User Security page appears.
Click Manage Enterprise Domains.
The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.
Select OracleDefaultDomain. Click Configure.
The Configure Domain page appears.
Click the User-Schema Mappings tab. All user-schema maps created at the domain level are displayed. User-schema maps created at database levels are not displayed here.
Click Create to create a new user-schema mapping for the domain.
The Create Mapping page is displayed.
Under the From section, select Users to map an individual enterprise user to a database schema. Alternatively, select Subtree to map a directory subtree containing multiple users. You can use the Search icon to search for the appropriate user or subtree.
Under the To section, enter the name of the Schema to which the user or subtree should be mapped. This is the schema that you created in Task 1.
Click Continue in the Create Mapping page.
Click OK in the Configure Domain page.
Note:
You can also create user-schema mappings for an individual database in an enterprise domain. Such mappings apply only to that particular database and not to other databases in the domain.
See Also:
"Mapping Enterprise Users to the Shared Schema" for an example on creating user-schema mappings
Use Enterprise Manager to create enterprise roles in the OracleDefaultDomain by using the following steps:
Select OracleDefaultDomain in the Manage Enterprise Domains page. Click Configure.
The Configure Domain page appears.
Click the Enterprise Roles tab.
Click Create to create a new enterprise role.
The Create Enterprise Role page appears.
Enter a name for the enterprise role in the Name field. Click Continue.
The new role is displayed in the Configure Domain page.
See Also:
"Using Enterprise Roles" for an example on creating and using enterprise roles
Use Enterprise Manager to add the global database roles that you created in Task 1 to the enterprise roles that you created in Task 3 by using the following steps:
Select the enterprise role that you just created in the Configure Domain page. Click Edit.
The Edit Enterprise Role page is displayed.
Make sure that the DB Global Roles tab is selected. Click Add to add global roles from databases that are part of the enterprise domain.
The Search and Select Database Global Roles page appears.
Select the Database that contains the global roles you wish to add. Log in to the selected database by supplying a User Name and Password. Click Go.
Select the global roles to add. Click Select.
The selected roles appear in the Edit Enterprise Role page.
See Also:
"Using Enterprise Roles" for an example on creating and using enterprise roles
Use Enterprise Manager to grant enterprise roles that you created in Task 3 to the enterprise users by using the following steps:
Click the Grantees tab in the Edit Enterprise Role page.
Click Add.
The Select Users or Groups page is displayed.
Select the Search Base or the subtree that contains the user or group. Select User under View if you are granting the enterprise role to a user. Select Group under View, if you are granting the role to a group. Optionally, enter the common name of the user or group in the Name field. Click Go.
Select the users or groups to be granted the enterprise role. Click Select.
Click Continue in the Edit Enterprise Role page.
Click OK in the Configure Domain page.
See Also:
"Using Enterprise Roles" for an example on creating and using enterprise roles