3 Replies Latest reply: Nov 7, 2007 1:14 PM by 570448 RSS

    OEM Accounts for Enterprise Users

      I have some Oracle Enterprise Users who I would like to assign OEM Database Control accounts to. Is there a way I can get this to work without creating the users explicit OEM accounts?

      To clarify further, I'd like to create an Enterprise Role (managed in the esm tool) that has the set of database roles and privilges that would allow Enterprise Users assigned to this Enterprise Role the ability to login to OEM. Thoughts?

      Thank you
        • 1. Re: OEM Accounts for Enterprise Users
          OEM accounts have no relationship to database accounts, and roles do not apply.
          Privileges are managed by OEM.

          Sybrand Bakker
          Senior Oracle DBA
          • 2. Re: OEM Accounts for Enterprise Users
            I suggest you to specify the OS and DB versions you are talking about whenever you post a new thread. A de facto standard, OEM is used to specify a 9i Oracle Enterprise Manager or an 8i OEM Java console, meanwhile EM is used to refer to the 10g Enterprise Manager DB Control Console, either 10gR1 or 10gR2. OEM can be used to access any database.

            On OEM you can use any account with DBA privileges, so you could access OEM if you simply assign a DBA role to the user. On EM the only two allowed users to access Enterprise Manager are SYS and SYSTEM, if you want to add a new user then you must enable it from the preferences menu once you have connected with an authorized account. EM can access only the 10g Database where its repository has been built on, if you want to access different databases with the same interface, then you must configure the grid control.

            FYI, In EM, there is a repository manager database user, the sysman user, but this is for internal use only.

            ~ Madrid
            • 3. Re: OEM Accounts for Enterprise Users
              Hi Madrid -

              Sorry for the omission, the OS is Solaris 10 and DB version is

              Given the definitions you've supplied of OEM versus EM I believe my question is about EM (the web-based tool that I've known as Oracle Enterprise Manager Database Control). I'm very familiar with EM Grid Control too (and it's differences from EM Database Control).

              For anyone to help with this question they would have to be pretty familiar with two concepts (and their implementation) Oracle Enterprise Users and EM Database Control 10gR2.

              In the past, when I've wanted to give software developers access to 10gR2 EM Database Control I've created a database account called "developer" and assigned this database user to the CONNECT, MGMT_USER and OEM_ADVISOR roles. You also need to grant the “SELECT ANY DICTONARY” system privilege to the account. When you assign a database user to the MGMT_USER role they have the ability to login to EM. The OEM_ADVISOR role allows the user to run the EM advisors. Now I have this account in EM, "developer" that I can allow software developers to login to EM with. They can view tables, monitor DB performance, etc. But they can't do "DBA privilege things" like drop tables, alter tables, etc. This works okay -- but I have no traceability to individual users. Put another way, I don't like "group accounts" in our database.

              Now, recently I migrated our database to the use of Oracle Enterprise Users. Under this system the software system's end-users are defined in an OracleAS Identity Management installation's Oracle Internet Directory. The Enterprise Users don't have individual database accounts, but they can login to the database.

              Back to the original question in my post yesterday (with specifics added). Say I create an Enterprise Role named EM_NON_PRIVILEGED using the ESM tool. In the tool I link this Enterprise Role to a global database role named -- EM_NON_PRIVILEGED_DB. Now, any grants to the database role are available to any Enterprise Users assigned to the Enterprise Role. Cool. So, I assign the CONNECT, MGMT_USER and OEM_ADVISOR roles to the EM_NON_PRIVILEGED_DB role as well as the “SELECT ANY DICTONARY” system privilege. Then, in ESM, I assign Enterprise Users to the EM_NON_PRIVILEGED role.

              My problem is, when I try to login to EM as an Enterprise User that’s assigned to the EM_NON_PRIVILEGED Enterprise Role, I get “The application requires more database privileges than you have currently been granted. Click on Help to get more version specific information.” The “Help” link essentially just says you need the “SELECT ANY DICTONARY” system privilege. Has anyone successfully implemented the ability of Enterprise User’s to be able to login to EM Database Control 10.2?

              Thank you