How to Transition from EM12c Cloud Control Database Target VIEW Privileges to EM 13c Flexible Database Access Control Group Privileges
(Doc ID 2277277.1)
Last updated on APRIL 18, 2024
Applies to:
Oracle Database - Enterprise Edition - Version 11.2.0.4 and laterGen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Oracle Cloud Infrastructure - Database Service - Version N/A and later
Oracle Database Backup Service - Version N/A and later
Information in this document applies to any platform.
Goal
Enterprise Manager (EM)13c Cloud Control introduce Flexible Database Access Control that provides a fine-grained flexible privilege control model for database target management.
Enterprise Manager 13c introduced flexible DB access control for Enterprise Manager Database Plug-in. New out of box roles align with database personas and provide tighter access control on managed target databases. Before the introduction of this feature an Enterprise Manager user granted access on the database had access to all of the database management features, such as performance management, high availability management, storage management, security management and so forth. Enterprises have different classes of users such as DBA, Application Developer, Application DBA, and Infrastructure DBA that need to access database management functions. There is a need for a flexible privilege model to accommodate these roles. For example, enterprises may want their application developers to access only performance management functions in a View Only mode.
Providing enterprise users access to unnecessary features and pages opens up the database to security vulnerabilities. Oracle recommends that you grant Enterprise Manager users the minimum number of privileges required to perform their job. Introducing these out of box database management roles grants users access to only the Enterprise Manager pages required to perform their job.
Fine grained privilege control for Enterprise Manager Database plug-in provides a privilege control model for database pages. This enables Enterprise Manager super administrators to grant the minimum access to Enterprise Manager administrators and users required to complete their more specific responsibilities.
This document addresses upgrade concerns where customers upgrading to EM 13c from EM 12c want to carry over similar granted VIEW database target privileges during the upgrade. Customers can decide in adopting the rich features of Flexible Database Access Control at a later time; but as part of upgrade, they do not want their existing users to relinquish current access.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| The following "Admin" level target privileges in EM 13c are equivalent to "View" target privilege that existed in EM 12c: |
| Grant the privileges needed to your EM user: |
| 1. Performance - > Database Replay |
| 2. Availability -> Add Standby Database |
| Backup and Recovery->DB_BACKUP_ADMIN , DB_RECOVERY_ADMIN |
| 3. Security -> All resource privilege menus are disabled |
| 4. Schema -> Database Objects |
| 5. Administration -> Initialization Parameters-> DB_PARAMETER_ADMIN |
| 6. Oracle Database -> Control |
| EMCLI |