User's Manual

Enterprise User Security Deployment Considerations

Getting Started with Enterprise User Security 11-27

Protecting Database Password Verifiers

The OraclePasswordAccessibleDomains group in each identity management realm

is created automatically when the realm is created, and can be managed by using

Enterprise Security Manager. Enterprise domains with member databases that must

view users' database password veriﬁers in the directory are placed into this group.

For aselected realm, determinewhich databases can acceptpassword-authenticated

connections. Use Enterprise Security Manager to place the domains containing

those databases into the OraclePasswordAccessibleDomains group. An ACL on the

user subtree permits access to the directory attribute that holds the password

veriﬁer used by the database.

All other users are denied access to this attribute. An ACL that prevents anonymous

read access to the password veriﬁer attributes is at the root of the directory tree.

Note that for usability, by default the OracleDefaultDomain is a member of the

OraclePasswordAccessibleDomains group. It can be removed, if desired.

Considerations for Deﬁning Database Membership in Enterprise Domains

Consider the following criteria when deﬁning the database membership of a

domain:

■ Current user database links operate only between databases within a single

enterprise domain. Use of these links requires mutual trust between these

databases and between the DBAs who administer them.

■ Accepted authentication types for enterprise users are deﬁned at the domain

level. Database membership in a domain should therefore be deﬁned

accordingly. If one or more databases are intended to only support SSL-based

certiﬁcate authentication, they cannot be combined in the same domain with

password-authenticated databases.

■ Enterprise roles are deﬁned at the domain level. To share an enterprise role

across multiple databases, the databases must be members of the same domain.