Oracle® Database Enterprise User Administrator's Guide 10g Release 2 (10.2) Part Number B14269-01 |
|
|
View PDF |
This chapter describes how to use Enterprise Security Manager to administer Enterprise User Security in Oracle Databases. This chapter contains the following topics:
Enterprise Security Manager and Enterprise Security Manager Console are the two main tools provided for administering Enterprise User Security.
Use Enterprise Security Manager to create and manage
Enterprise domains
Enterprise roles
Use Enterprise Security Manager Console to create, manage, and configure
Enterprise users
Enterprise User Security administrative groups
Identity management realm properties.
These tools are introduced in Chapter 2, "Configuration and Administration Tools Overview" where you can find information about starting each tool and navigating its interface.
In particular, refer to the following topics to get started using Enterprise User Security administration tools:
Tool | Introductory Topics |
---|---|
Enterprise Security Manager |
|
Enterprise Security Manager Console |
|
An identity management realm is a subtree of directory entries, all of which are governed by the same administrative policies. A realm Oracle Context is a subtree in a directory identity management realm that contains the data used by any installed Oracle product that uses the directory. Enterprise Security Manager is one such product. It lets you manage database and security-related information in an identity management realm.
This section describes how to use Enterprise Security Manager to administer directory identity management realm properties that pertain to Enterprise User Security. It contains the following topics:
Managing Identity Management Realm Administrators
Note: Do not create users within a realm Oracle Context. |
See Also:
|
Enterprise User Security can only use an identity management realm supplied by Oracle Internet Directory 10g (9.0.4) or later, which ships with Oracle Application Server 10g (9.0.4). You can manage Enterprise User Security directory entries in a version 9.0.4 (or later) identity management realm by using Enterprise Security Manager for Oracle Database 10g Release 2 (10.2).
Enterprise Security Manager displays all existing version 9.0.4 (or later) identity management realms in its main application tree.
Note: Enterprise User Security did not require identity management realms in Oracle8i, nor in Oracle9i. In those previous releases, only an Oracle Context was used. For Oracle Database 10g Release 2 (10.2) Enterprise User Security, full identity management realms and their associated realm Oracle Contexts must be used. |
An identity management realm has a number of properties that can be viewed and managed by using Enterprise Security Manager. These properties are described in Table 4-1.
Table 4-1 Identity Management Realm Properties
Property | Description |
---|---|
Attribute for Login Name | Name of the directory attribute used to store login names. By default, login names are stored in the uid attribute, but they can be changed to correspond to your directory configuration. In previous releases, this was the cn attribute. |
Attribute for Kerberos Principal Name | Name of the directory attribute used to store Kerberos principal names. By default, Kerberos principal names are stored in the krbPrincipalName directory attribute, but they can be changed to correspond to your directory configuration by changing orclCommonKrbPrincipalAttribute in the identity management realm. |
User Search Base | Full distinguished name (DN) for the node at which enterprise users are stored in the directory. |
Group Search Base | Full DN for the node at which user groups are stored for this identity management realm in the directory. |
Version Compatibility | This property is no longer used. However, you should ensure that it is not set to 81000 , because release 8.1.7 and earlier databases cannot be in the same realm with 10g Release 1 (10.1) or 10g Release 2 (10.2) databases. |
Note: Each identity management realm includes anorcladmin user who is the root user of that realm only. These realm-specific orcladmin users are represented by the directory entries cn=orcladmin,cn=Users,<realm_DN> . Note that when you are logged in to Enterprise User Security administration tools as a realm-specific orcladmin user, then you can manage only directory objects for that realm. To manage objects in another realm, you must log in to administration tools as the orcladmin user for that realm. |
Setting these identity management realm attributes enables the database to locate Enterprise User Security entries.
To set Login Name, Kerberos Principal Name, User Search Base, and Group Search Base identity management realm attributes:
Navigate to the Enterprise Security Manager Console home page. (Select Launch Enterprise Security Manager Console from the Operations menu and log in by using your OracleAS Single Sign-On user name and password.)
Select the Realm Configuration tab.
In the Realm Information window, enter the appropriate information into the available fields.
Click Submit to save your changes to the directory.
The initial value for the LDAP_DIRECTORY_ACCESS
parameter is picked from the default database-to-directory authentication attribute setting at the realm level. This parameter is set on individual databases when they are registered in Oracle Internet Directory.
To set the default database-to-directory authentication type for an identity management realm:
Select the identity management realm in the left navigator pane.
Select the General tab in the right main window. See Figure 4-1.
In the Realm Attribute Settings region of the General tabbed window, select either PASSWORD or SSL from the Database to Directory Authentication list.
Click Apply to save your changes to the directory.
An identity management realm contains administrative groups that have varying levels of privileges. The administrative groups for an identity management realm, which pertain to Enterprise User Security, are defined in Table 4-2. For more information about these groups, see "Administrative Groups".
Table 4-2 Enterprise User Security Identity Management Realm Administrators
Administrative Group | Definition |
---|---|
Oracle Database Registration Administrators
(OracleDBCreators) |
Registers new databases in the realm. |
Oracle Database Security Administrators
(OracleDBSecurityAdmins) |
Has all privileges on the OracleDBSecurity directory subtree. Creates, modifies, and can read all Enterprise User Security directory objects. |
Oracle Context Administrators
(OracleContextAdmins) |
Has full access to all groups and entries within its associated realm. |
User Security Administrators
(OracleUserSecurityAdmins) |
Has relevant permissions necessary to administer security aspects for enterprise users in the directory. For example, OracleUserSecurityAdmins can modify user passwords. |
To manage identity management realm administrators:
Navigate to the Enterprise Security Manager Console home page. (Select Launch Enterprise Security Manager Console from the Operations menu and log in by using your OracleAS Single Sign-On user name and password.)
Select the Users and Groups tab.
In the Users and Groups tabbed window, select the Group subtab.
In the Group subtab window, select the administrative group you wish to edit, and click Edit.
In the Edit Group window, enter group information into the appropriate fields. You can change group owners, add users to or remove them from groups, and view group membership.
Click Submit to save your changes to the directory.
Enterprise Security Manager manages one directory server at a time, identified at the top of the main application tree. It lets you manage enterprise users and data that is relevant to Enterprise User Security in the identity management realm.
This section describes how to use Enterprise Security Manager to administer enterprise users. It contains the following topics:
Use Enterprise Security Manager to create users in the directory.
Note: Before creating new enterprise users, you must first define the user search base in the directory and also verify the user create base. See "Setting Login Name, Kerberos Principal Name, User Search Base, and Group Search Base Identity Management Realm Attributes" |
To create new enterprise users:
Select Launch Enterprise Security Manager Console from the Operations menu. The Enterprise Security Manager Console home page appears (Figure 4-2). Log in with your OracleAS Single Sign-On user name and password.
Figure 4-2 Enterprise Security Manager Console Home Page
Select the Users and Groups tab.
In the Users and Groups tabbed window, choose the User subtab, if it is not already displayed.
In the User subtab window, click Create (located on the upper right corner of the Search Results table). Note that if your users are authenticated to the database by using Kerberos credentials, and the krbPrincipalName
attribute is not there, then see "Configuring Enterprise Security Manager Console for Kerberos-Authenticated Enterprise Users" for information about how to configure this.
Enter the appropriate user information in the Create User window and click Submit to create a new enterprise user.
You can set and maintain enterprise user passwords in the Basic Information region of the Enterprise Security Manager Console Edit User window (Figure 4-3).
Figure 4-3 Enterprise Security Manager Console Edit User Window: Basic Information
The enterprise user password is used for:
Directory logon
Database logon, to databases that support password authentication for global users
To set the password for an enterprise user:
Navigate to the Enterprise Security Manager Console home page. (Select Launch Enterprise Security Manager Console from the Operations menu and log in using your OracleAS Single Sign-On user name and password.)
Select the Users and Groups tab.
In the Users and Groups tabbed window, select the User subtab, if it is not already displayed.
In the User subtab window, enter part of the enterprise user's user name (login name) or e-mail address, and click Go.
A list of all users who match your search criteria displays.
Select the user for whom you wish to create a new password, and click Edit.
In the Edit User window, enter the new password, and click Submit.
When you create a new enterprise user, you can grant any previously configured enterprise roles to the new user.
To assign existing enterprise roles to a new enterprise user:
In the left navigator pane, select the Users icon under the Users, By Search Base folder, which is displayed under the identity management realm you are using. The list of users is displayed in the right main window.
Select a user in the main window, and click Edit. An Edit User window displays.
Select the Enterprise Roles tab of the Edit User window, and click Add.
The Add Enterprise Roles window appears (Figure 4-4):
Figure 4-4 Enterprise Security Manager: Add Enterprise Roles Window
Select the correct identity management realm, then select any enterprise roles in your realm to assign to the new user, and click OK.
Enterprise Security Manager lets you browse the directory for all users currently stored there in two ways, by using Enterprise Security Manager Console or by using the All Users tab in the main application window.
To browse enterprise users in the directory by using Enterprise Security Manager Console:
Navigate to the Enterprise Security Manager Console home page. (Select Launch Enterprise Security Manager Console from the Operations menu and log in by using your OracleAS Single Sign-On user name and password.)
Select the Users and Groups tab.
In the Users and Groups tabbed window, select the User subtab, if it is not already displayed.
In the User subtab window, enter part of the enterprise user's user name (login name) or e-mail address, and click Go. To display all users, do not enter search criteria.
A list of all users that match your search criteria is displayed. You can browse through the displayed users and select one to edit, delete, or assign privileges. If you need to create a new user, then click Create.
To browse enterprise users in the directory by using the All Users tab in the main application window:
Select the directory in the left navigator pane.
Select the All Users tab in the right main window (Figure 4-5):
Figure 4-5 Enterprise Security Manager: Main Window (All Users Tab)
Define the search criteria and click Search Now. The window displays the results of the search. Table 4-3 summarizes the search criteria and their respective effects on the search results.
Table 4-3 Directory Search Criteria
Search Criteria | Effect on the Search |
---|---|
Base | This is the base entry point in the directory where the search is performed. Only users under this base are returned by the search. |
Include Subtrees | This determines whether to show all users found in the entire subtree under the selected base or to show only those users who exist directly under that base location (one level only). |
Show names containing | This limits the search to those users whose directory entries have a common name that starts with the characters you specify. This is useful if you do not know the exact name or base of the target users. |
Note that you can also browse enterprise users in the directory by selecting <realm_name>, User by Search Base, Users in the left navigation tree of the main application window.
An identity management realm contains an enterprise domain called OracleDefaultDomain
. OracleDefaultDomain
is part of the realm when it is first created in the directory. When a new database is registered into a realm, it automatically becomes a member of OracleDefaultDomain
in that realm. You can create and remove your own enterprise domains, but you must not remove OracleDefaultDomain
from a realm.
This section describes how to use Enterprise Security Manager to administer enterprise domains in the directory. It contains the following topics:
If you do not want to use OracleDefaultDomain
, then you can create a new enterprise domain in your identity management realm.
To create a new enterprise domain in an identity management realm:
Start by using one of the following methods:
Select Create Enterprise Domain from the Operations menu.
The Create Enterprise Domain window appears (Figure 4-6):
Figure 4-6 Enterprise Security Manager: Create Enterprise Domain Window
In the Create Enterprise Domain window, select the appropriate realm from the list (Figure 4-6).
Note: If you invoked the Create Enterprise Domain window by right-clicking the realm in the main application tree, then the name of that realm is already selected. |
Enter the name of the new enterprise domain, in the Domain Name field.
Click OK. The new enterprise domain is created in the realm and appears on the main application tree.
To remove an enterprise domain:
Select the target enterprise domain from the main application tree.
Select Remove Enterprise Domain from the Operations menu.
Enterprise Security Manager prompts you to confirm removal of the enterprise domain from the realm. Click OK to remove it.
Note: You cannot remove an enterprise domain from an identity management realm if that enterprise domain contains any enterprise roles. |
Use the navigation tree of the main Enterprise Security Manager window to select a specific enterprise domain. You can then use the Databases tab to manage database membership of an enterprise domain in a realm (Figure 4-7):
Figure 4-7 Enterprise Security Manager: Databases Tab (Database Membership)
To remove a database from an enterprise domain:
Select a specific database for removal, and click Remove. The database is removed from the list.
Click Apply. The database is removed from the enterprise domain.
To add a database to an enterprise domain:
Note: The following restrictions apply to adding databases to an enterprise domain:
|
Click Add. The Add Databases window appears. This window lists all the databases that are not part of any domain associated with the realm(Figure 4-8):
Figure 4-8 Enterprise Security Manager: Add Databases Window
Select a new database to be added to the enterprise domain.
Click OK. The selected database is added to the list of databases in the Databases tabbed window (Figure 4-7).
Click Apply (Figure 4-7). The new database is added to the enterprise domain.
Use the Databases tabbed window (Figure 4-7) to manage database security options applicable to all databases that are members of the enterprise domain.
Database security options are summarized in Table 4-4:
Table 4-4 Enterprise Security Manager Database Security Options
Database Security Option | Description |
---|---|
Enable current user database links | Any database pair can permit use of Current User Database Links only if both databases exist in the same enterprise domain where this setting is enabled. By default, current user database links are not enabled. |
User authentication | All databases in an enterprise domain allow one, or more, of the following types of authentication for clients:
|
An enterprise domain administrator is a directory user with privileges to modify the content of that domain. After selecting an enterprise domain under an realm in the main application tree, you can use the Administrators tabbed window to manage Enterprise Domain Administrators.
To add a new user to the list of Enterprise Domain Administrators:
In the left navigator pane, select the enterprise domain to which you wish to add administrators.
In the right pane, select the Administrators tab.
Click Add. The Add Users window appears. Use this window to locate and select users for designation as Enterprise Domain Administrators. The new users appear in the Administrators tabbed window.
Click Apply. The new administrators are added to the enterprise domain.
To remove a user from the list of Enterprise Domain Administrators:
In the left navigator pane, select the enterprise domain from which you wish to remove administrators.
In the right pane, select the Administrators tab.
Select a user from the list of administrators.
Click Remove. The selected user is removed from the list.
Click Apply. The user is removed as an Enterprise Domain Administrator for that domain in the realm.
Database schema mappings, also referred to as user schema mappings, enable databases registered in the directory to accept connections from users without requiring any dedicated database schemas for them. For example, when local user Scott connects to a database, that logon can succeed only if a database schema called Scott exists. This requirement can be difficult to maintain if an enterprise has thousands of users and hundreds of databases.
Users defined in an LDAP-compliant directory do not require dedicated schemas on every Oracle9i or later database to which they might connect.
A database can use a schema mapping to share one database schema among multiple directory users. Each schema mapping is a pair of values, the base in the directory at which users exist and the name of the database schema they will use.
After selecting either a database or a domain in the main application tree, you can use the Database Schema Mappings window to manage database schema mappings. If a domain is selected, these mappings apply to all databases in the enterprise domain. However, for the mapping to be effective in a database, that database must have a schema with the name used in the mapping. This window contains a list of database schema names, directory DNs, and mapping types (Figure 4-9):
Figure 4-9 Enterprise Security Manager: Database Schema Mappings Tab
To add a new mapping to the list of database schema mappings in the enterprise domain:
In the Database Schema Mapping tabbed window, click Add.
The Add Database Schema Mappings window appears (Figure 4-10).
The three components in this window are the directory search tree, the options for choosing either subtree or entry-level mapping, and the field for entering the schema name. (You select the user's DN or the base of users in the directory tree.)
In this window, you make the database schema mapping by selecting a base in the directory and pairing it with a database schema name, as the following steps illustrate.
Figure 4-10 Enterprise Security Manager: Add Database Schema Mappings Window
Navigate the directory to select a desired entry as a base for the database schema mapping. Although any directory entry can be selected, you should, for an entry-level mapping, select the actual user. For a subtree-level mapping, select the entry located above the subtree of users to be mapped. You can also edit the contents of the Directory Entry field in this window to manually define the base.
Note that subtree-level mapping is usually the most useful.
Click the option corresponding to your chosen mapping type, Subtree Level or Entry Level.
In the Schema field, enter the name of the database schema for which this Mapping will be made, and click OK. This schema name must be a valid name that identifies a shared schema already existing on that database. Your new database schema mapping appears in the database schema mappings window (Figure 4-9).
Click Apply. The new database schema mapping is added to the selected database or domain in the realm.
To remove a mapping from the list of database schema mappings in an enterprise domain:
Select a mapping by selecting from the Database Schema Mapping tabbed window.
Click Remove. The selected mapping is removed from the list.
Click Apply. The mapping is removed from the enterprise domain.
The following three requirements enable a database to accept a connection from a password-authenticated user:
The database must be a member of a domain configured to accept password authentication (See: Table 4-4).
The domain must be a member of a password-accessible domains group, called the Password-Accessible Domains List.
(The domain can be added by a member of either of two groups, the OracleContextAdmins group or the OracleDBSecurityAdmins directory administrator group. Domain members of this list, which are databases, can read the user's password verifier in the directory. Databases excluded from this list cannot read the user's password verifier in the directory.)
The directory subtree in which the user entry appears must be enabled for Oracle Database access.
To configure password accessibility:
Select the enterprise domain in the left navigator pane.
Select the Databases tabbed window and select Password or All Types from the User Authentication methods listed. (See Figure 4-7)
Click Apply.
To add a domain to the Password-Accessible Domains List:
Select the identity management realm in the left navigator pane.
Select the Accessible Domains tabbed window and click Add. The Add Accessible Enterprise Domains dialog box appears. See Figure 4-11.
Figure 4-11 Enterprise Security Manager: Add Accessible Enterprise Domains Dialog Box
Select OracleDefaultDomain from the list of enterprise domains and click OK. OracleDefaultDomain is added to the list of domains in the Accessible Domains tab.
Click Apply. The new domain is added to the password accessible domains list in the directory.
Note:
|
To remove an enterprise domain from the password-accessible domains list:
Select the identity management realm in the left navigator pane.
Select the Accessible Domains tabbed window and select the enterprise domain you want to remove from the list.
Click Remove. The domain is removed from the list under the Accessible Domains tab.
Click Apply. The domain is removed from the password-accessible domains list in the directory.
Database administrators are members of the directory administrative group OracleDBAdmins. They are directory users who have privileges to modify the database entry and its subtree in the realm. These privileges include creating and managing user-schema mappings. When a user registers a database in the directory, Database Configuration Assistant automatically puts that user into the OracleDBAdmins group.
Database administrators can be managed by using the Administrators tabbed window when a database is selected under a realm in the navigator pane. See Figure 4-12. Note that only OracleDBAdmins or OracleContextAdmins group members can add or remove users from the OracleDBAdmins group.
Figure 4-12 Enterprise Security Manager: Administrators Tab
To remove a user from the list of Database Administrators:
In the Administrators tabbed window, select a user from the list of administrators.
Click Remove. The selected user is removed from the list.
Click Apply. The user is removed as a Database Administrator for that database.
To add a new user to the list of Database Administrators:
Click Add in the Administrators tabbed window. The Add Users window appears. Use this window to locate and select users in the directory.
Select a user or users from the directory to be added as a database administrator. The new users are displayed in the Administrators tabbed window.
Click Apply. The new administrators are added to the database in the realm.
An enterprise domain within an identity management realm can contain multiple proxy permissions. A proxy permission object is a set of authorizations, which can be granted to enterprise users to proxy as local database users within the enterprise domain.
Selecting the Proxy Permissions node under a domain in the navigation tree shows two lists in the right main window of Enterprise Security Manager. The first list identifies the proxy permission names. The other list shows the corresponding DNs of the proxy permission entries in Oracle Internet Directory. Each proxy permission under the Proxy Permissions container includes a list of users and groups to which it applies. It also includes the list of target database users to which the proxy users are mapped.
To enable enterprise users to proxy as local database users, the following steps are required:
To allow enterprise users the right to proxy as local database users, an administrator must run the following command for each such local database user:
ALTER USER local_database_user_name GRANT CONNECT THROUGH ENTERPRISE USERS
This task requires the following steps to be performed in Enterprise Security Manager:
In the navigation tree, select the realm containing the domains in which you want to establish enterprise user proxies.
Select the domain containing the local databases to which users will proxy. From the Operations menu, choose Create Proxy Permission. The dialog box shown in Figure 4-13 appears.
Type a name for the proxy permission in the Proxy Name text field. Click OK.
Figure 4-14 illustrates how the newly created proxy permission entry appears in the navigation tree:
Figure 4-14 Tree View of New Proxies in Proxy Permissions
Select a proxy. The associated tabbed windows appear: one named Proxy Users and Groups, the other named Database Target Users, as shown in Figure 4-15.
Select the Proxy Users and Groups window and click Add. The Add Enterprise Users window appears.
Use the Add Enterprise Users window to select one or more enterprise users to be granted proxy permissions. Your window will look like Figure 4-16:
Click OK. Your selected enterprise user now appears as an enterprise user for proxy2, with his or her name and Distinguished Name in the Proxy Users and Groups tabbed window, as shown in Figure 4-17:
Click Apply.
The preceding section identified the enterprise users who will be permitted to proxy as local database users. In this section, you select the target databases and local users to whom those enterprise users can proxy.
Select the Database Target Users tab and click Add.
The Add Target Users window appears as shown in Figure 4-18. It shows the available databases in the domain.
Select the desired database from which the target users will be chosen. The login screen for that database will appear, as illustrated in Figure 4-19.
After you log in, the available users will be listed as illustrated in Figure 4-20. (This list will include only those users for whom an earlier ALTER USER command was issued, as described in "Granting Enterprise Users Access to Local Database Schemas".)
Figure 4-20 Local Database Users Available as Proxy Targets
Select the users you want, and click OK. A screen similar to the one shown in Figure 4-21 appears.
When you click Apply, these local database users will be established as legitimate proxy targets for your selected enterprise users.
An enterprise domain within an identity management realm can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain.
This section describes how to use Enterprise Security Manager to administer enterprise roles in the directory. It contains the following topics:
You can create an enterprise role in an enterprise domain either from the Operations menu on the Enterprise Security Manager main window (Figure 4-9), or by right-clicking an enterprise domain in the main application tree. In either case, the Create Enterprise Role window appears (Figure 4-22):
Figure 4-22 Enterprise Security Manager: Create Enterprise Role Window
To create a new enterprise role:
Select the identity management realm from the list. This realm contains the enterprise domain to hold the new enterprise role.
Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, then the name of the identity management realm is already selected. |
From the Enterprise Domain list, select the appropriate enterprise domain for the new enterprise role.
Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, then the name of the enterprise domain is already selected. |
Enter the name of the new enterprise role in the Role Name field.
Click OK. The new enterprise role is created in the enterprise domain and appears on the main application tree.
To remove an enterprise role:
Select the enterprise role from the main application tree (Figure 4-9).
Select Remove Enterprise Role, either from the Operations menu or by right-clicking the enterprise domain in the main application tree.
Enterprise Security Manager prompts you to confirm the removal of the enterprise role. Click Yes.
Use the Database Global Roles tabbed window (Figure 4-23) of the Enterprise Security Manager main window to manage database global role membership in an enterprise role. This window lists the names of each global role that belongs to the enterprise role, along with the name of the database on which that global role exists.
Figure 4-23 Enterprise Security Manager: Database Global Roles Tab
When populating an enterprise role with different database roles, you can only use roles configured to be global roles on the databases you select. A global role on a database is identical to a normal role, except that the database administrator has defined it to be authorized only through the directory (Global roles are created with the syntax, CREATE ROLE <role_name> IDENTIFIED GLOBALLY;
). A database administrator cannot locally grant and revoke global roles to users of the database.
To add a global role to an enterprise role:
Click Add (Figure 4-23). The Add Global Database Roles window appears. This window lists all of the databases in the enterprise domain from which global roles can be selected to add to an enterprise role.
Select a database from which to obtain global roles. A window appears and prompts you for logon details to authenticate to the database (and fetch global roles). Typically, a DBA logon to that database is required.
Note that the name of the database appears in the Service field by default. You can use this name to connect to the database in two circumstances:
If your Oracle home has LDAP enabled as its Oracle Net naming method, or
If this name appears as a TNS alias in your local Oracle Net configuration
Otherwise, you can overwrite the content of the Service field with
any other TNS alias configured for that database, or
a connect string in the format <host>:<port>:<oracle sid>
. For example, cartman:1521:broncos
Figure 4-24 Enterprise Security Manager: Database Authentication Required Window
Click OK. Enterprise Security Manager connects you to the given database and fetches the list of global roles supported on that database. The list of values, if any, is displayed in the Add Global Database Roles window.
Select one or more global roles from the list of returned values and click OK. These global roles appear in the Database Global Roles tabbed window (Figure 4-23).
Click Apply. The new global roles are added to the enterprise role in the enterprise domain.
To remove a database global role from an enterprise role:
Select a global role under the Database Global Roles tab, and click Remove. The global role is removed from the list.
Click Apply. The global role is removed from the enterprise role in the enterprise domain.
You can grant an enterprise role to users in two ways:
you can select a user and add a role (see "Defining an Initial Enterprise Role Assignment"), or
you can select a role and add a user
An enterprise role granted to a user includes all database global roles contained within that enterprise role. Use the Users tabbed window.
To grant an enterprise role to users:
Select the role in the navigation tree and click Add in the Users tabbed window. The Add Enterprise Users window appears. Use this window to locate and select one or more directory users to add as enterprise role grantees (Figure 4-25):
Figure 4-25 Enterprise Security Manager: Add Enterprise Users Window
Select a user or users and click OK. The new grantees are added to the list of users who have that enterprise role in the enterprise domain.
Click Apply. The user or users are granted the selected enterprise role.
To remove a user from the list of enterprise role grantees:
Select a user from the list of grantees in the Users tabbed window.
Click Remove. The selected user is removed from the list.
Click Apply. The user is removed as a grantee for that enterprise role in the enterprise domain.