User's Manual

ManualsBrandsOracle ManualsNetwork RouterOracle Database B10772-01

301

302

303

304

305

306

307

308

309

310

Introduction to Enterprise User Security

11-18 Oracle Database Advanced Security Administrator's Guide

Table 11–2 Administrative Groups in a Realm Oracle Context

Administrative Group Description

OracleDBCreators

(Called "Database

Registration Admins" in

Release 9.2 and earlier

versions of Enterprise

Security Manager)

DN: (cn=OracleDBCreators,cn=OracleContext...)

Default owner: OracleContextAdmins

During default realm Oracle Context creation, Oracle Internet Directory Conﬁguration

Assistant sets up the following access rights/permissions for these group members:

■ Add permission for database service objects in the realm Oracle Context

■ Modify permission for the Default Domain

OracleDBCreators create new databases and register them in the directory by using Database

Conﬁguration Assistant

OracleContextAdmins

(Called "Full Context

Management" group in

Release 9.2 and earlier

versions of Enterprise

Security Manager)

DN: (cn=OracleContextAdmins,cn=Groups,cn=OracleContext...)

Default owner: The user who created the identity management realm. (If it is the realm

created during installation, then it is orcladmin.)

OracleContextAdmins have full access to all groups and entries within its associated realm

Oracle Context.

OracleDBSecurityAdmins

(Called "Database Security

Management" group in

Release 9.2 and earlier

versions of Enterprise

Security Manager)

DN: (cn=OracleDBSecurityAdmins,cn=OracleContext...)

Default owner: All group members.

During default realm Oracle Context creation, Oracle Internet Directory Conﬁguration

Assistant sets up the following access rights/permissions for these group members:

■ All privileges in the OracleDBSecurity subtree

■ Modify privileges for membership in this group

OracleDBSecurityAdmins have permissions on all of the domains in the enterprise and

perform the following tasks:

■ Sets Enterprise User Security conﬁgurations for the realm, such as the default

database-to-directory authentication method

■ Group owner administers the OracleDBSecurityAdmins group

■ Creates and deletes enterprise domains

■ Moves databases from one domain to another within the enterprise

OracleUserSecurityAdmins

(Called "Directory User

Management"in Release9.2

and earlier versions of

Enterprise Security

Manager)

DN: (cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext...)

Default owner: The user who created the identity management realm.

By default, an ACL is set at the directory root in Oracle Internet Directory that sets up the

relevant permissions so OracleSecurityAdmins can administer Oracle user security. For

example, by default, they can read wallet password hints and modify user passwords.

OraclePasswordAccessible

Domains

DN: (cn=OraclePasswordAccessibleDomains,cn=Groups,cn=OracleContext...)

Default owner: Same as OracleDBSecurityAdmins

Group members are enterprise domains, which contain databases enabled for

password-authorized enterprise users.