Flexible Database Access Control

Enterprise Manager provides flexible database access control for Enterprise Manager Database Plug-in. The new out of box roles align with database personas and provide tighter access control on managed target databases. Before the introduction of this feature an Enterprise Manager user granted access on the database had access to all of the database management features, such as performance management, high availability management, storage management, security management and so forth. Enterprises have different classes of users such as DBA, Application Developer, Application DBA, and Infrastructure DBA that need to access database management functions. There is a need for a flexible privilege model to accommodate these roles. For example, enterprises may want their application developers to access only performance management functions in a View Only mode.

Providing enterprise users access to unnecessary features and pages opens up the database to security vulnerabilities. Oracle recommends that you grant Enterprise Manager users the minimum number of privileges required to perform their job. Introducing these out of box database management roles grants users access to only the Enterprise Manager pages required to perform their job.

Fine grained privilege control for Enterprise Manager Database plug-in provides a privilege control model for database pages. This enables Enterprise Manager super administrators to grant the minimum access to Enterprise Manager administrators and users required to complete their more specific responsibilities.

High levels of security can be implemented using the new flexible DB access control features for database management. This section includes the following:

Database Management Roles and Responsibilities

Oracle Enterprise Manager supports granting different levels of access to DBAs based on their roles and responsibilities in the organization. The following roles are recommended to implement security best practices for an organization.

  • Application DBA

    An application DBA is a restricted database administrator who manages application schemas, application objects, and application performance in the database. An application DBA should be able to identify and fix application performance issues in the database. An application DBA is responsible for keeping the application up and running and in good performance.

  • Application Developer

    An application developer is a person who develops an application. Application developers capture requirements from customers and develop the application according to customer requirements. Application developers use Oracle Enterprise Manager to tune SQL in their application modules for optimal performance in production environments. Application developers are responsible for the modules of the application in development, test, and production environments.

  • Monitoring User

    The database monitoring user monitors the database for smooth functioning of the application in production environments. Monitoring users respond to alerts raised in the Enterprise Manager environment. Monitoring users can update the schedule of metrics and setup blackouts on the databases. Monitoring users are not allowed to make any changes to the production database. Monitoring users ensure that the application is up and running by responding to any issues reported and ensuring that the issues are assigned to the DBAs responsible for resolution.

  • Database Administrator

    Database administrators performs full database lifecycle management including installation configuration, monitoring, backup, recovery, and performance tuning.