News
Perth, Australia
+ (61) 417713124
prosolutions@gavinsoorma.com

12c Cloud Control Security – Dynamic Groups and Roles

  • Posted by Gavin Soorma
  • On September 2, 2014
  • 1 Comments
  • 12c, cloud control, dynamic groups, groups, roles, security, targets

Let us have a look at some of the security features in 12c Cloud Control and we will look at Roles and Dynamic Groups.

Let us say for example we have a team of DBA’s supporting both MS SQL Server as well as Oracle databases and the 12c agents have now been deployed to all the Oracle as well as SQL Server hosts.

The requirement is that when the SQL Server DBA’s connect via 12c Cloud Control they should only see the SQL Server target hosts and databases and when the Oracle DBA’s connect likewise they see all the target servers where the Oracle databases are hosted.

We first create a Dynamic Group. From the Setup >> Add Target >> Dynamic Group menu

Enter the group name MSSQL_DBA_GROUP and click the Privilege Propagation box

Click on the Define Membership Criteria button

In the Target Types field select Microsoft SQL Server from the list of target values



Create a similar group called ORA_DBA_GROUP

We can see that depending on the targets we have already discovered on the hosts where the agents have been deployed the Oracle and SQL Server database target members are automatically added to their respective groups.

Next we create a couple of roles – MSSQL_DBA_ROLE and ORA_DBA_ROLE.

From the Setup >> Security >> Roles menu click on Create button.

Create a role called MSSQL_DBA

Click on Next and in the Target Privileges section click on Add
In the Target Type select Group and select the MSSQL_DBA_GROUP

Click on the pencil icon in the Manage Target Privilege Grants and change that from View to Full

Click on Review and then Finish

Similarly create another role called ORA_DBA_ROLE and ensure that we select the ORA_DBA_GROUP this time.

Grant the roles we have created to the administators based on the type of databases they support and wish to view as targets in Cloud Control.

From the Setup >> Security >> Administrators menu select the administrator account and click on Edit.

Click Next and in the Roles screen select the appropriate role which we had created earler

If connect as this admin user, we only see the Oracle database targets displayed.

But if we connect as the Sysman user, we can see all the targets – both Oracle as well as SQL Server

 

1 Comments

Paul
  • Feb 21 2017
Thank you. Excellent article.

Leave Reply

Your email address will not be published. Required fields are marked *