This content has been marked as final. Show 3 replies
I suggest you to specify the OS and DB versions you are talking about whenever you post a new thread. A de facto standard, OEM is used to specify a 9i Oracle Enterprise Manager or an 8i OEM Java console, meanwhile EM is used to refer to the 10g Enterprise Manager DB Control Console, either 10gR1 or 10gR2. OEM can be used to access any database.
On OEM you can use any account with DBA privileges, so you could access OEM if you simply assign a DBA role to the user. On EM the only two allowed users to access Enterprise Manager are SYS and SYSTEM, if you want to add a new user then you must enable it from the preferences menu once you have connected with an authorized account. EM can access only the 10g Database where its repository has been built on, if you want to access different databases with the same interface, then you must configure the grid control.
FYI, In EM, there is a repository manager database user, the sysman user, but this is for internal use only.
Hi Madrid -
Sorry for the omission, the OS is Solaris 10 and DB version is 10.2.0.2.0.
Given the definitions you've supplied of OEM versus EM I believe my question is about EM (the web-based tool that I've known as Oracle Enterprise Manager Database Control). I'm very familiar with EM Grid Control too (and it's differences from EM Database Control).
For anyone to help with this question they would have to be pretty familiar with two concepts (and their implementation) Oracle Enterprise Users and EM Database Control 10gR2.
In the past, when I've wanted to give software developers access to 10gR2 EM Database Control I've created a database account called "developer" and assigned this database user to the CONNECT, MGMT_USER and OEM_ADVISOR roles. You also need to grant the “SELECT ANY DICTONARY” system privilege to the account. When you assign a database user to the MGMT_USER role they have the ability to login to EM. The OEM_ADVISOR role allows the user to run the EM advisors. Now I have this account in EM, "developer" that I can allow software developers to login to EM with. They can view tables, monitor DB performance, etc. But they can't do "DBA privilege things" like drop tables, alter tables, etc. This works okay -- but I have no traceability to individual users. Put another way, I don't like "group accounts" in our database.
Now, recently I migrated our database to the use of Oracle Enterprise Users. Under this system the software system's end-users are defined in an OracleAS Identity Management 10.1.4.0.1 installation's Oracle Internet Directory. The Enterprise Users don't have individual database accounts, but they can login to the database.
Back to the original question in my post yesterday (with specifics added). Say I create an Enterprise Role named EM_NON_PRIVILEGED using the ESM tool. In the tool I link this Enterprise Role to a global database role named -- EM_NON_PRIVILEGED_DB. Now, any grants to the database role are available to any Enterprise Users assigned to the Enterprise Role. Cool. So, I assign the CONNECT, MGMT_USER and OEM_ADVISOR roles to the EM_NON_PRIVILEGED_DB role as well as the “SELECT ANY DICTONARY” system privilege. Then, in ESM, I assign Enterprise Users to the EM_NON_PRIVILEGED role.
My problem is, when I try to login to EM as an Enterprise User that’s assigned to the EM_NON_PRIVILEGED Enterprise Role, I get “The application requires more database privileges than you have currently been granted. Click on Help to get more version specific information.” The “Help” link essentially just says you need the “SELECT ANY DICTONARY” system privilege. Has anyone successfully implemented the ability of Enterprise User’s to be able to login to EM Database Control 10.2?