Skip to main content

Preparation

Before Bravura Security Fabric can manage database-level accounts in Oracle, you must:

  1. Install the client software.

  2. Configure a target administrator.

  3. Create at least one template account.

    Note

    The following instructions are for Oracle database 19c. Details may vary depending on your version of the software. The client software must be at least version 11.2.

Installing client software

Bravura Security Fabric communicates with the Oracle server via OCI. Before you can target Oracle database, you must install the Oracle Client (Administrator) on the Bravura Security Fabric server.

The 64-bit version of the Oracle Client is required for Connector Pack 3.0 and higher.

Add a TNS entry for the Oracle database on which Bravura Security Fabric will manage accounts. To do this:

  1. On the Bravura Security Fabric server, launch Oracle Net Configuration Assistant.

  2. Select Local Net Service Name.

    Click Next .

  3. Click Add on the Net Service Name Configuration page.

    Click Next .

  4. Type the Oracle service name on Net Service Name Configuration, Service Name page.

    Click Next .

  5. Select a network protocol on Net Service Name Configuration, Select Protocols page.

    Click Next .

  6. Type Oracle database server’s Host Name and Port Number.

    Ensure that you can connect to the database using a valid user name and password during testing.

    Click Next .

  7. Type the Net Service Name .

    Remember this Net Service Name for the local naming method connection which will be needed when adding the target system to Bravura Security Fabric .

  8. Click Next to finish.

Alternatively, you can setup connection to Oracle database server by using a tnsnames.ora file provided by your Oracle database administrator. See your Oracle documentation regarding how to specify a connection by configuring a tnsnames.ora file without using Oracle Net Configuration Assistant (NetCA) for more information.

Ensure that the ORACLE_HOME environment variable is set to a valid Oracle home directory which contains OCI.dll. The value of this environment variable must be set either system-wide or for the psadmin local user.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, PSADMIN) on the Oracle database server to perform operations.

The target system administrator account requires least privileges to access Oracle system tables as listed below in order to manage users, roles and privileges also privileges to access common objects is needed when targeting an Oracle pluggable database in Oracle 12c or newer versions if the target system administrator is a local user. The required privileges may vary depending on the operations supported or required:

     connect sys/<sysdbapassword> as sysdba;

     -- Create the target admin
     -- Note that Oracle stores the user ID in target administrator account uppercase
     -- unless you enclose it in quotes
     create user PSADMIN
     identified by "<password>"
     -- Optional
     default tablespace USERS
     temporary tablespace TEMP;
   

     -- Create session
     grant CREATE SESSION to PSADMIN;
   

     -- Listing accounts
     grant select on sys.dba_users to PSADMIN;
   

     -- Listing groups and group owners (aka Oracle roles)
     grant select on sys.dba_role_privs to PSADMIN;
     grant select on sys.dba_roles to PSADMIN;
   

     -- Listing account attributes
     grant select on sys.dba_ts_quotas to PSADMIN;
     grant select on sys.dba_rsrc_consumer_group_privs to PSADMIN;
     grant select on sys.dba_tab_privs to PSADMIN;
     grant select on sys.dba_sys_privs to PSADMIN;
     grant select on sys.proxy_users to PSADMIN;
     grant select on sys.user$ to PSADMIN;
     grant select on sys.dba_profiles to PSADMIN;
     -- Password reset/lock/unlock of an account
     grant alter user to PSADMIN;
     grant select on sys.user$ to PSADMIN;
     grant select on sys.dba_profiles to PSADMIN;
   

     -- Creating an account
     grant create user to PSADMIN;
   

     -- Deleting an account
     grant drop user to PSADMIN;
   

     -- Adding/removing an account to/from a group (aka Oracle role)
     grant grant any role to PSADMIN;
   

     -- To allow special groups (RESOURCE,DBA) include the following:
     -- grant grant any privilege to PSADMIN;
   

     -- Creating/Deleting a group (aka Oracle role)
     grant create role to PSADMIN;
   

     grant drop any role to PSADMIN;

Note

Ensure to add a prefix C## or c## to the target system administrator account if the account is created as common user in an Oracle root container database; Also grant the target system administrator account permissions to access common roles and objects etc. if the target system administrator account is created as a local user in an Oracle pluggable database and the Oracle pluggable database is configured as a target system.

The connector agtora also supports external authentication by using Windows user login credentials to authenticate the target system administrator. Consult Oracle documentation for more details regarding how to create Oracle database users authenticated externally.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new Oracle accounts. The following example illustrates how you can create a template account on your Oracle server:

create user IDM_TEMP_ACCT
   identified by Out_standing1
   default tablespace EXAMPLE
   quota 10M on EXAMPLE
   profile APP_USER
   password expire;

See your database administrator or Oracle documentation for more information if required.

In this section: