Database Reference
In-Depth Information
We do not cover incident management (see Chapter 12 for that), or more-advanced features such as product
extensibility and the command-line interface. This chapter is intended primarily to orient you to the basic layout of
the console and the essential operations you will initially perform.
Security Management
Starting with this release, Oracle has centralized a lot of the security management in the product. To operate effectively,
you will need to spend some time configuring the credentials that you require. In particular, you will need to
administer the areas of security included in Table
4-1
.
Table 4-1.
Securable Items Within Cloud Control
Area
Purpose
Example
SYSMAN
Enterprise Manager administrator
User access to EM
PUBLIC
Enterprise Manager roles
Rights within EM
NC_DB_ORCL_SYS
Named credentials
Target access
NC_DB_ORCL_SYSTEM
Preferred credentials
Target access
DBSNMP
Monitoring credentials
Agent access to targets
In addition, you will probably want to set up a privilege delegation scheme so that necessary rights for
administration are cascaded through a simple hierarchy of roles and rotation of agent registration passwords. These
items, however, are highly dependent on the organization and security requirements of the enterprise for which you
work and so lie outside the scope of this topic.
The core concept here is that of named credentials. These preconfigured authentication credentials allow
users and administrators to access various managed targets in a secure fashion without remembering a plethora of
username/password combinations. The time you spend setting these up will seem rather tedious, especially in a
large environment, but it is well worth it in terms of time saved in day-to-day operations and in allowing end users
appropriately privileged access without disclosing passwords. You should set up the named credentials by using an
account that is unlikely to be removed. (For example, you could use
SYSMAN
to own all named credentials and then
grant access to named administrators.) This concept of a credential set to which administrators have access is a
big step forward in security and will likely be welcomed by your internal security administrators. On the downside,
you are likely to end up having to walk them through this process and explain access control, which is now more
complicated than previously.
■
we strongly suggest that you implement a naming convention for credentials, because you will have a lot of
credentials to manage. one example is to use
NC_<TARGETTYPE>_<TARGETNAME>_<USER>
to indicate the user and targets
to which the credentials apply. this works for an environment in which passwords differ between targets, but your setup
may vary.
Tip
The first security administration task is to add administrator accounts. Once this is done, you can define and
assign roles and set up access.
