Integrating OUD and EUS: Users and Groups Mapping

After preparing the OUD and the database for EUS, users from the directory can be authenticated to the database. However, they have to be associated with a schema in the database.

Directory identities are mapped to database schemas. The database schema can be dedicated or a shared schema. Directory groups are mapped to database roles.

Create a shared schema in the database

  • Creating a shared schema in the database enables one to map multiple enterprise users to the same schema.
  • Run the following similar SQL statements on the database to create a user and grant basic connect access.
  • We will then map a subtree from the OUD to this shared schema.
CREATE USER global_ident_schema_user IDENTIFIED GLOBALLY;
GRANT CONNECT TO global_ident_schema_user;

 

  • Now login to the database Enterprise Manager and select Enterprise User Security under the Server tab.
  • Provide directory manager credentials and login.
  • Click Manage Enterprise Domains, click Configure, and go to the User Schema Mappings tab.
  • Click on Create.
  • Select Subtree and click on torch icon to select all users to map to this shared schema. Click Continue.
  • Now try to login to the database with OUD user credentials.

em1 em2 em3 em4 em5

Creating a dedicated schema in the database

To map a directory user directly to a database schema, the first step is to get the complete DN of this particular user from the OUD.
A complete DN looks like this:
uid=nasir,ou=people,dc=ziontech,dc=net

Now, on the database run the following statements to create a user called ldap_nasir locally in the database. This will be authenticated using OID credentials.

create user ldap_nasir identified globally as 'uid=nasir,ou=people,dc=ziontech,dc=net';

We can also alter an existing user in the database so that the user will now use OUD credentials to login.

alter user existing_user identified globally as 'uid=nasir,ou=people,dc=ziontech,dc=net';

Mapping roles

  • Similarly,  we can map database groups and roles under the enterprise roles table and proxy permission.
  • We will now create a global role in the database that allows access to the hr.employees table. The following SQL statements create a global role, hr_access, and grant the necessary privilege to it.
CREATE ROLE hr_access IDENTIFIED GLOBALLY;
GRANT SELECT ON hr.employees TO hr_access;
  • Next, we create an enterprise role called hr_access and assign the global role to it. We then assign this enterprise role to the enterprise user, nasir. The enterprise role can be created using Enterprise Manager.

To create the enterprise role, hr_access:

  • Log in to Enterprise Manager.
  • Click the Server tab. Under the Security section, click Enterprise User Security.
  • Enter the distinguished name (DN) of a directory user who can administer enterprise users in the User field. Enter the user password in the Password field. Click Login.
  • The Enterprise User Security page appears.
  • Click Manage Enterprise Domains.
  • The Manage Enterprise Domains page appears. This page lists the enterprise domains in the identity management realm.
  • Select the enterprise domain that contains the database. Click Configure.
  • The Configure Domain page appears.
  • Click the Enterprise Roles tab.
  • Click Create.
  • The Create Enterprise Role page appears.
  • Enter hr_access in the Name field.
  • Click Add to add the database global role to the enterprise role.
  • The Search and Select Database Global Roles window is displayed.
  • Select the hr_access global role in your database. Click Select.

Note: You will be required to log in to the database before you can select the global role.

  • Click the Grantees tab. Click Add.
  • Then Select Users or Groups window appears.
  • Select user Nasir. Click Select.
  • Click Continue in the Create Enterprise Role page.
  • Click OK in the Configure Domain page.

The enterprise user, Nasir, can now access the hr.employees table in the database.

 

  

2 Comments

  1. idam_learner-Reply
    December 8, 2016 at 9:47 pm

    Great Post.
    Have you ever face an issue with Global Roles not being assigned to EUS users? I have users in AD, created Global roles DB, created Groups in AD. Registered a DB with OUD proxy sever and completed EUS mappings. Users are able to login with AD password and access DB roles. But after few weeks some of them cannot access roles. ” select * from session_roles” used to show Global roles , but now it shows empty list!!!!!!!!!!!!!! Any idea?

    Thanks in advance.

  2. Phani M-Reply
    December 12, 2016 at 6:24 pm

    Did something change on the Database end? Like upgrade, change of ORACLE_HOME etc., de-registration, clones etc ?

    EUS configuration is stored below cn=OracleContext in OUD. Check if they exist.

Leave a Reply to Phani M Cancel reply