3 Working with Access Control

This chapter focuses on access control of TimesTen targets in Oracle Enterprise Manager Cloud Control.

Topics include:

Overview of access control

The Oracle Enterprise Manager uses privileges that are assigned to roles to manage targets and their operations. Targets can be grouped into groups. A TimesTen Enterprise Manager administrator can assign roles and groups to users to determine how and what they can manipulate in a TimesTen target.

Note:

The default super administrator of Enterprise Manager, SYSMAN, can view and control all TimesTen targets without having to belong to a group or be assigned a role.

Creating a group

You must create these groups:

  • A group that contains the host or hosts that contains your TimesTen targets.

  • A group that contains the TimesTen targets that this group can view and control. You can combine TimesTen instances and databases into a single group or create multiple groups.

  1. From the Targets menu, select Groups.

    The Groups page displays. Locate the Create button above the group table.

  2. Expand Create and select Group.

    Figure 3-2 Create a group

    Description of Figure 3-2 follows
    Description of "Figure 3-2 Create a group"

    The Add Target Create Group page displays. Prepare to enter the properties for your group. The first property is the group name.

    In the *Name text field, you define the group name. Choose a name that is a meaningful identifier. (For example, datacenter1_hosts or datacenter1_databases.)

  3. Click in the check box to the right of Privilege Propagation. This setting allows group users to have access to new targets that are added to this group at a later date.

    Figure 3-3 Enable privilege propagation

    Description of Figure 3-3 follows
    Description of "Figure 3-3 Enable privilege propagation"

    You are now ready to add member targets to your group. You can combine any type of Enterprise Manager target in your group, including TimesTen instance and TimesTen database targets. However, ensure that you create separate groups for hosts and TimesTen targets. For more information on adding TimesTen targets, see "Configure a TimesTen target".

    Locate the Add button in the Members region.

  4. Click Add.

    The Search and Select: Targets page displays. Locate the Target Type drop-down list in the Search region.

  5. Expand the drop-down list labeled Target Type and select Host, TimesTen Instance, or TimesTen Database.

    Note:

    Ensure that you separate hosts and TimesTen targets into different groups.

    Figure 3-5 Search results

    Description of Figure 3-5 follows
    Description of "Figure 3-5 Search results"

    The page refreshes with the results of your search. In the Name column, locate the row that contains the target name that you want to add to the group. Confirm the status is a green up arrow.

  6. Select the check box of the row that identifies the Name of the row containing the target. If you want to add multiple targets, select the corresponding check box of any additional targets.

    Locate the Select button.

  7. Click Select.

    The Search and Select: Targets page closes and the Add Target Create Privilege Propagating Group page refreshes. You should now see your selected target in the Members table. Locate the OK button in the top right corner of the page.

  8. Click OK.

    The Information Dialog displays. You should see the informational message "Group group_name has been added." Locate the OK button.

  9. Click OK.

    The Information dialog closes. You successfully created an Enterprise Manager group.

Your Enterprise Manager group is created. Repeat steps 1-9 to create additional groups. If you have one host group and at least one TimesTen target group, you can define Enterprise Manager roles.

Defining roles

Create a role that contains the privileges that you want to assign to Enterprise Manager users.

Ensure that you have at least one host group and one TimesTen target group. For more information on the steps to create an Enterprise Manager group, see "Creating a group".

  1. From the Setup menu, select Security, then select Roles.

    The Security Roles page displays. Locate the Create button above the Roles table.

  2. Click Create.

    The Create Role: Properties page displays. You are now ready to enter the Enterprise Manager role properties. The first property is the role name.

    In the *Name text field, you define the role name. Choose a name that is a meaningful identifier. (For example, TimesTen database administrators.)

  3. In the *Name text field, type the Enterprise Manager role name.

    Locate the Next button in the upper right corner of the page.

  4. Click Next.

    The Create Role role_name: Roles page displays. Locate the Next button in the upper right corner of the page.

  5. Click Next.

    The Create Role role_name: Target Privileges page displays. Locate the Target Privileges region at the bottom of the page.

  6. Click the Add button from the Target Privileges region.

    Figure 3-14 Select privilege(s)

    Description of Figure 3-14 follows
    Description of "Figure 3-14 Select privilege(s)"

    The Search and Add: Targets page displays. Locate the Target Type drop-down list in the Search region.

  7. Expand the drop-down list labeled Target Type and select Group.

    Figure 3-15 Search results

    Description of Figure 3-15 follows
    Description of "Figure 3-15 Search results"

    The page refreshes with the results of your search. In the Name column, locate the row that contains the group names that you want to add to the role. You should have at least one TimesTen target group and its respective host group.

  8. Select the check boxes of the rows that identify the Name of the rows containing the groups. Ensure to select a TimesTen target group and its respective host group.

    Figure 3-16 Select groups

    Description of Figure 3-16 follows
    Description of "Figure 3-16 Select groups"

    Locate the Select button.

  9. Click Select.

    The Search and Add: Targets page closes and the Create Role role_name: Target Privileges page refreshes. You should now see your selected groups in the Target Privileges table. In the Target Privileges table, locate the row that contains your TimesTen target group. In the TimesTen target group row, locate the pencil button in the Manage Target Privilege Grants column.

  10. In the TimesTen target group row, click the pencil button in the Manage Target Privilege Grants column.

    Figure 3-18 Manage target privilege grants

    Description of Figure 3-18 follows
    Description of "Figure 3-18 Manage target privilege grants"

    The Create Role role_name: Target Privileges page refreshes. Locate the Target Privileges table.

    The Target Privileges table contains all of the available Enterprise Manager privileges that you can assign to a group. Enterprise Manager Cloud Control has a variety of privileges, but only two privileges are important for TimesTen operations:

    • View

      This privilege is needed to view TimesTen targets.

    • Operator

      This privilege is needed for TimesTen target control operations. The operator privilege includes the view privilege.

    Identify the Name of the privilege(s) that you want to assign to this role.

  11. Select the check box of the row that identifies the Name of the privilege that you want to assign to this group. If you want to add multiple privileges, select the corresponding check box of any additional privilege.

    Figure 3-19 Select privileges

    Description of Figure 3-19 follows
    Description of "Figure 3-19 Select privileges"

    Locate the Continue button in the upper right corner of the page.

  12. Click Continue.

    Figure 3-20 Click Continue

    Description of Figure 3-20 follows
    Description of "Figure 3-20 Click Continue"

    The Create Role role_name: EM Resource Privileges page displays. In the Target Privileges table, locate the row that contains your host group. In the TimesTen target group row, locate the pencil button in the Manage Target Privilege Grants column.

  13. In the host group row, click the pencil button in the Manage Target Privilege Grants column.

    Figure 3-21 Manage target privilege grants

    Description of Figure 3-21 follows
    Description of "Figure 3-21 Manage target privilege grants"

    The Create Role role_name: Target Privileges page refreshes. Locate the Target Privileges table.

    The Target Privileges table contains all of the available Enterprise Manager privileges that you can assign to a group. Enterprise Manager Cloud Control has a variety of privileges, but only two privileges are important for host operations:

    • View

      This privilege is needed to view Enterprise Manager host.

    • Execute Command

      This privilege is needed for TimesTen targets to execute operating system commands on a host. The Execute Command privilege is required to control the TimesTen agents, TimesTen database, and TimesTen server, and load and unload the TimesTen database from memory.

    Identify the Name of the privilege(s) that you want to assign to this role.

  14. Select the check box of the row that identifies the Name of the privilege that you want to assign to this group. If you want to add multiple privileges, select the corresponding check box of any additional privilege.

    Figure 3-22 Select privileges

    Description of Figure 3-22 follows
    Description of "Figure 3-22 Select privileges"

    Locate the Continue button in the bottom right corner of the page.

  15. Click Continue.

    Figure 3-23 Click Continue

    Description of Figure 3-23 follows
    Description of "Figure 3-23 Click Continue"

    The Create Role role_name: Target Privileges page displays. Locate the Next button in the upper right corner of the page.

  16. Click Next.

    The Create Role role_name: EM Resource Privileges page displays. Locate the resource type list.

  17. In the resource type list, locate the row that contains Job System as identified by the Resource Type Column. Click the pencil button in the Manage Privilege Grants column.

    Figure 3-25 Click the pencil button

    Description of Figure 3-25 follows
    Description of "Figure 3-25 Click the pencil button"

    The Create Role role_name: Manage Privileges: Job System page displays. Locate the Resource Type Privileges table.

  18. Select the check box of the row that identifies the Create privilege.

    Figure 3-26 Select the check box

    Description of Figure 3-26 follows
    Description of "Figure 3-26 Select the check box"

    Locate the Continue button in the upper right corner of the page.

  19. Click Continue.

    Figure 3-27 Click Continue

    Description of Figure 3-27 follows
    Description of "Figure 3-27 Click Continue"

    The Create Role role_name: EM Resource Privileges page displays. Locate the Next button in the upper right corner of the page.

  20. Click Next.

    The Create Role role_name: Administrators page displays. Locate the Next button in the upper right corner of the page.

  21. Click Next.

    The Create Role role_name: Review page displays. In the Properties region, verify the role name is correct. Also, verify that the correct privileges are in the Privileges applicable to all targets table. Locate the Finish button in the upper right corner of the page.

  22. Click Finish.

    The Security Roles page displays with a confirmation message that indicates that you successfully created the Enterprise Manager role.

    Figure 3-31 Role creation confirmation

    Description of Figure 3-31 follows
    Description of "Figure 3-31 Role creation confirmation"

You are now ready to create an Enterprise Manager user.

Creating users

Create a user that can control and view your TimesTen targets.

  1. From the Setup, select Security, then select Administrators.

    Figure 3-32 Select Administrators

    Description of Figure 3-32 follows
    Description of "Figure 3-32 Select Administrators"

    The Security Administrators page displays. Locate the Create button above the group table.

  2. Click Create.

    The Create Administrator: Properties page displays. You are now ready to enter the Enterprise Manager user properties. The first property is the user name.

    In the *Name text field, you define the user name. Choose a name that is a meaningful identifier. (For example, terry.)

  3. In the *Name text field, type the user name.

  4. In the *Password text field, type the password for the user.

  5. In the *Confirm Password text field, re-type the password.

    Locate the Next button in the upper right corner of the page.

  6. Click Next.

    The Create Administrator username: Roles page displays. You are now ready to assign a role to your user.

  7. In the Available Roles list, locate the row that contains your TimesTen role. Double click the role name. If you want to assign multiple roles, double click the corresponding role name of any additional roles.

    Figure 3-35 Assign a role

    Description of Figure 3-35 follows
    Description of "Figure 3-35 Assign a role"

    Locate the Next button in the upper right corner of the page.

  8. Click Next.

    The Create Administrator username: Target Privileges page displays. Locate the Next button in the upper right corner of the page.

  9. Click Next.

    The Create Administrator username: EM Resource Privileges page displays. Locate the Next button in the upper right corner of the page.

  10. Click Next.

    The Create Administrator username: Review page displays. In the Properties region, verify that the user name is correct. Also, verify that the correct roles are in the Roles table. Locate the Finish button in the upper right corner of the page.

  11. Click Finish.

    The Security Administrators page displays with a confirmation message that indicates that you successfully created the Enterprise Manager user.

    Figure 3-40 User creation confirmation

    Description of Figure 3-40 follows
    Description of "Figure 3-40 User creation confirmation"

You have successfully created an Enterprise Manager user that can view and control TimesTen targets.

Granting preferred credentials to users

Enterprise Manager enables you to grant a user access to preferred credentials that you created for a target with the SYSMAN user. Target preferred credentials are required to perform several operations on TimesTen targets. Ensure that you have set preferred credentials for the SYSMAN user before proceeding with this section. For more information, see "Setting preferred credentials for a target".

To grant a user access to preferred credentials, ensure that you are on the Oracle Enterprise Manager Cloud Control home page and are logged in as user SYSMAN.

  1. From the Setup menu, select Security, then select Named Credentials.

    Figure 3-41 Select Named Credentials

    Description of Figure 3-41 follows
    Description of "Figure 3-41 Select Named Credentials"

    The Security Named Credentials page displays. Locate the credential name in the Credential Name column.

  2. Click the credential name.

    Figure 3-42 Select credential name

    Description of Figure 3-42 follows
    Description of "Figure 3-42 Select credential name"

    You are now ready to grant the preferred credentials to a user. Locate the Manage Access button.

  3. Click Manage Access.

    Figure 3-43 Click Manage Access

    Description of Figure 3-43 follows
    Description of "Figure 3-43 Click Manage Access"

    The Security Manage Access: credential_name page displays. Locate the Add Grant button in the Access Control region.

  4. Click Add Grant.

    Figure 3-44 Click Add Grant

    Description of Figure 3-44 follows
    Description of "Figure 3-44 Click Add Grant"

    The Search and Select - Roles - Oracle Enterprise Manager dialog displays.

  5. In the dialog, locate the row that contains the correct user name. Click in this row and click Select.

    Figure 3-45 Select user name

    Description of Figure 3-45 follows
    Description of "Figure 3-45 Select user name"

    The Search and Select - Roles - Oracle Enterprise Manager dialog closes and the Security Manager Access: credential_name page refreshes. You should see your selected user name in the table in the Access Control region. Locate the Save button in the upper right corner of the page.

  6. Click Save.

    The Security Named Credentials page displays. Repeat steps 1-6 to grant access to additional preferred credentials to users.

  7. To enable preferred credentials on an Enterprise Manager user account, logon to Enterprise Manager using the user credentials. Then, follow the instructions in "Setting preferred credentials for a target" and assign the existing named credentials as noted in step 6.

You have successfully granted a user access to preferred credentials of a SYSMAN user target.