- Posted by Gavin Soorma
- On September 2, 2014
- 1 Comments
- 12c, cloud control, dynamic groups, groups, roles, security, targets
Let us have a look at some of the security features in 12c Cloud Control and we will look at Roles and Dynamic Groups.
Let us say for example we have a team of DBA’s supporting both MS SQL Server as well as Oracle databases and the 12c agents have now been deployed to all the Oracle as well as SQL Server hosts.
The requirement is that when the SQL Server DBA’s connect via 12c Cloud Control they should only see the SQL Server target hosts and databases and when the Oracle DBA’s connect likewise they see all the target servers where the Oracle databases are hosted.
We first create a Dynamic Group. From the Setup >> Add Target >> Dynamic Group menu
Enter the group name MSSQL_DBA_GROUP and click the Privilege Propagation box
Click on the Define Membership Criteria button
In the Target Types field select Microsoft SQL Server from the list of target values
Create a similar group called ORA_DBA_GROUP
We can see that depending on the targets we have already discovered on the hosts where the agents have been deployed the Oracle and SQL Server database target members are automatically added to their respective groups.
Next we create a couple of roles – MSSQL_DBA_ROLE and ORA_DBA_ROLE.
From the Setup >> Security >> Roles menu click on Create button.
Create a role called MSSQL_DBA
Click on Next and in the Target Privileges section click on Add
In the Target Type select Group and select the MSSQL_DBA_GROUP
Click on the pencil icon in the Manage Target Privilege Grants and change that from View to Full
Click on Review and then Finish
Similarly create another role called ORA_DBA_ROLE and ensure that we select the ORA_DBA_GROUP this time.
Grant the roles we have created to the administators based on the type of databases they support and wish to view as targets in Cloud Control.
From the Setup >> Security >> Administrators menu select the administrator account and click on Edit.
Click Next and in the Roles screen select the appropriate role which we had created earler
If connect as this admin user, we only see the Oracle database targets displayed.
But if we connect as the Sysman user, we can see all the targets – both Oracle as well as SQL Server