Database Access Control

Database Access Control Best Practices

Enterprise Manager 13.1 adds database access control flexibility to the Enterprise Manager Database Plug-in. The new out-of-the-box roles are aligned with database personas and enable more control over access to managed target databases.

Controlling database access in a flexible way

Before this feature, an Enterprise Manager user with database access had access to all database administration functions, including performance management, high availability management, storage management, security management, and so on. Users that need access to database administration functions in an organization include DBAs, Application Developers, Application DBAs, and Infrastructure DBAs. A flexible privilege model is required to accommodate various responsibilities. In a View Only mode, for example, organizations may want their application developers to only have access to performance management services.

Providing superfluous features and pages to corporate users exposes the database to security issues. Oracle advises that you only give Enterprise Manager users the privileges they need to do their jobs. When these out-of-the-box database management roles are enabled, users will have access to just the Enterprise Manager pages they need to do their jobs.

A privilege control paradigm for database pages is provided by Enterprise Manager Database plug-fine-grained privilege control. This allows Enterprise Manager super administrators to provide Enterprise Manager administrators and users only the access they need to accomplish their more specialized roles.

The new flexible DB access control capabilities for database administration may be used to establish high levels of security.

Roles and Responsibilities in Database Management

DBAs can be granted varying degrees of access in Oracle Enterprise Manager based on their positions and responsibilities in the company. To adopt security best practices for an organization, the following responsibilities are advised:

DBA for applications

A limited database administrator who handles application schemas, application objects and application performance in the database is known as an application DBA. An application DBA should be able to detect and resolve database application performance issues. An application DBA is in charge of maintaining the application up and running while also ensuring that it performs well. Monitoring users’ guarantee The DBAs are in charge of responding to any issues that are reported and assigning them to the DBAs who are in charge of resolving them.

The administrator of a database

Database administrators are responsible for managing the whole database lifecycle, which includes installation, configuration, monitoring, backup, recovery, and performance optimization.

  • Application (DBA) Access In Enterprise Manager, application DBAs should have access to the Performance and Schema Management pages.
  • Creating a DBA Account for an Application
  • To set up an application DBA account in Enterprise Manager, follow these steps:
  • To establish an Enterprise Manager administrator, follow the steps in “Creating a New Administrator.”
  • On the database target, grant the privilege Database Application DBA.
  • On the database host target, grant the full privilege.
  • Grant the Create New Named Credentials privilege on the Named Credential Resource Type privilege page and the Create Privilege on Job System Resource Type privilege on the Resource Privileges Page.

Creating Identifiable Credentials

The database administrator can establish their own named credentials, or the super administrator (or a privileged administrator with the system resource privilege) can create them for them and then provide them to the application DBA. The named credential is given view privilege on the named credential, thus the application DBA has no knowledge of or access to the named credential’s contents.

Application developers usually work in their own development environments and have complete access to their databases. Access to production databases is frequently denied to application developers.