My Oracle Support Banner

How to Transition from Enterprise Manager12c Cloud Control Database Target VIEW Privileges to Enterprise Manager 13c Flexible Database Access Control Group Privileges (Doc ID 2277277.1)

Last updated on NOVEMBER 10, 2019

Applies to:

Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Cloud Machine - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Backup Service - Version N/A and later
Information in this document applies to any platform.

Goal

Enterprise Manager (EM)13c Cloud Control introduce Flexible Database Access Control that provides a fine-grained flexible privilege control model for database target management.

Enterprise Manager 13c introduced flexible DB access control for Enterprise Manager Database Plug-in. New out of box roles align with database personas and provide tighter access control on managed target databases. Before the introduction of this feature an Enterprise Manager user granted access on the database had access to all of the database management features, such as performance management, high availability management, storage management, security management and so forth. Enterprises have different classes of users such as DBA, Application Developer, Application DBA, and Infrastructure DBA that need to access database management functions. There is a need for a flexible privilege model to accommodate these roles. For example, enterprises may want their application developers to access only performance management functions in a View Only mode.

Providing enterprise users access to unnecessary features and pages opens up the database to security vulnerabilities. Oracle recommends that you grant Enterprise Manager users the minimum number of privileges required to perform their job. Introducing these out of box database management roles grants users access to only the Enterprise Manager pages required to perform their job.

Fine grained privilege control for Enterprise Manager Database plug-in provides a privilege control model for database pages. This enables Enterprise Manager super administrators to grant the minimum access to Enterprise Manager administrators and users required to complete their more specific responsibilities.

This document addresses upgrade concerns where customers upgrading to EM 13c from EM 12ce want to carry over similar granted VIEW database target privileges during the upgrade. Customers can decide in adopting the rich features of Flexible Database Access Control at a later time; but as part of upgrade, they do not want their existing users to relinquish current access.

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
 The following "Admin" level target privileges in EM 13c are equivalent to "View" target privilege that existed in EM 12c:
 Grant the privileges needed to your EM user.
 To take advantage of the new Flexible DB Access Control feature which is basically restricting the user to "read only" page access, then grant the following "View" privileges as needed:
 
  
 1. Performance - > Database Replay
 2. Availability -> Add Standby Database
 Backup and Recovery->DB_BACKUP_ADMIN , DB_RECOVERY_ADMIN
 3. Security -> All resource privilege menus are disabled
 4. Schema -> Database Objects
 5. Administration -> Initialization Parameters-> DB_PARAMETER_ADMIN
 6. Oracle Database -> Control
 EMCLI


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.