Enterprise User Security (EUS) is process of integrating Oracle Database with LDAP compliant directory server like Oracle Internet Directory (OID) or Microsoft Active Directory so that database Users can be centrally managed in LDAP Directory Server.
When EUS feature of databases is configured and enabled, all EUS enabled databases can authenticate users based on information in LDAP server.
.
Database Users : are users created in database using CREATE USER [username] IDENTIFIED BY [password]; command. Database user is associated with a database schema. (When you create user using create user command it automatically creates schema)
.
Database Schema : is named collection of objects, such as tables, views, clusters, procedures, packages, attributes, object classes. Schema is associated to a particular database user.
.
Enterprise Users : are users that are defined and managed in LDAP server (Oracle Internet Directory or Active Directory).
.
Global Users: are enteprise users created in database using
a) Private Schema (each user having dedicated schema) “CREATE USER [username] IDENTIFIED GLOBALLY AS ‘cn=username,cn=users,dc=mydomain,dc=com’;”
b) Shared Schema (multiple users sharing single schema) “CREATE USER [username] IDENTIFIED GLOBALLY AS “”;
.
Role : Role is a named groups of related privileges.
.
Enterprise Role : is a directory (LDAP) object that acts as container to hold one or more database global roles. Enterprise Role is mapped to database global role and is assigned to Enterprise user. Enterprise Role are defined in LDAP server and assigned to enterprise user, which determines access privileges on database.
.
Database Global Role : is a role that is managed in directory , but its privileges are contained within a single database. Global role is created using CREATE ROLE [role_name] IDENTIFIED GLOBALLY;
.
Database Local Role : Local Roles are created and managed by the database and created using CREATE ROLE [role_name]; For more on roles here
.
Enterprise Domain : is group of databases and enterprise roles. Domain resides under “Realm -> Oracle Context ->Products -> OracleDBSecurity” . As shown in below screenshot, there are two domains. When enterprise roles are assigned to users or mapping created using enterprise manager, these enterprise roles, members and mapping are stored here.
.
.
Enterprise Domain subtree is composed of three types of entries: enterprise role entries, user-schema mappings, and the enterprise domain administrator’s group for that domain
.
Database Server Entry: is a directory entry containing information about database server which is registered in LDAP Server. This entry is created during database registration phase in OID using DBCA. This entry is under “Realm -> Oracle Context as shown in figure below
Database Server subtree consists of mapping entries (mapping0…) called user-schema mappings.
.
References
.
More on Enterprise User Security in Oracle Database coming soon ….