1.1 Business challenges
A leading business services company based in the Bay Area of California uses Oracle databases as a critical component in their IT infrastructure. They manage users and privileges on an individual database basis, which means there are many challenges, including:
- Management of named users has higher administrative costs, yet is insecure and time consuming.
- Management of privileges in multiple databases is error-prone.
- Obtaining audit reports verifying user access to databases is complex.
- An ineffective process for de-provisioning DB users exposes the system to compliance risk.
The business would also like to implement segregation of duties for managing Oracle database Named User accounts by transitioning database account and privilege assignment duties from the Oracle database team to the Identity and Access Management team.
1.2 Technical challenges
To meet these business challenges, the key is to centralize user authentication and authorization. To achieve this, this company has the following technical requirements:
- Avoid providing a new username and password for database users.
- Active Directory is not an option: the AD administrator is not willing to extend the Active Directory schema or deploy additional DLLs on Active Directory domain controllers.
- Kerberos Authentication is not an option. End users must always provide a password to access databases.
- The solution should not introduce new security procedures to end-users, instead, adapting existing corporate security standards.
- Leverage the existing provisioning system.
- The solution should be scalable and highly available, and should be expandable for other applications in the future.
- Support heterogeneous systems.
2. ZionTech implemented solution
2.1 Centralized authentication and authorization using OUD
Based on technical requirements, the solution is to deploy the Oracle Unified Directory (OUD) with Enterprise User Security.
Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services and provides the ability to centrally manage database users and role memberships in an LDAP directory.
Key activities and processes in the implementation are shown below.
- The Oracle Unified Directory (OUD) is deployed in a highly available architecture and is EUS enabled.
- Oracle databases are configured to connect to OUD, and required metadata is stored under a special naming context in OUD.
- The company’s existing identity provisioning system is connected to OUD to provision users and groups.
- The existing provisioning system is connected to databases using connectors to create users (the customer opted for a dedicated schema per user approach; otherwise it would not be required).
- End users request access on a self-service IDM console. Upon approval by the respective owners, user accounts are created in databases.
- Global roles are created in databases and mapped to OUD groups.
- Users connect to databases using the credentials from OUD. These credentials are the same as the primary user store Active Directory (AD), as IDM synchronizes data to OUD from AD.
This solution provided the following benefits:
- The Oracle Unified Directory enabled the organization achieve centralized authentication and authorization to Oracle databases
- The end user connects to databases using the same network username/password, as data is synchronized to OUD from AD.
- The required configuration for enabling EUS for a database fits nicely into the organization’s standard automated process for database creation.
- The Oracle Unified Directory can be used as an alternative user store to the Active Directory. This provides a lot of flexibility for other applications that require schema extensions in the LDAP directory and can also take some authentication load away from the Active Directory.
- Reduced administration costs
- Increased security
- Improved compliance
- Rapid deployment
- No additional administration
- Eliminated help desk calls