Skip to main content

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, PSADMIN) on the Oracle database server to perform operations.

The target system administrator account requires least privileges to access Oracle system tables as listed below in order to manage users, roles and privileges also privileges to access common objects is needed when targeting an Oracle pluggable database in Oracle 12c or newer versions if the target system administrator is a local user. The required privileges may vary depending on the operations supported or required:

     connect sys/<sysdbapassword> as sysdba;

     -- Create the target admin
     -- Note that Oracle stores the user ID in target administrator account uppercase
     -- unless you enclose it in quotes
     create user PSADMIN
     identified by "<password>"
     -- Optional
     default tablespace USERS
     temporary tablespace TEMP;
   

     -- Create session
     grant CREATE SESSION to PSADMIN;
   

     -- Listing accounts
     grant select on sys.dba_users to PSADMIN;
   

     -- Listing groups and group owners (aka Oracle roles)
     grant select on sys.dba_role_privs to PSADMIN;
     grant select on sys.dba_roles to PSADMIN;
   

     -- Listing account attributes
     grant select on sys.dba_ts_quotas to PSADMIN;
     grant select on sys.dba_rsrc_consumer_group_privs to PSADMIN;
     grant select on sys.dba_tab_privs to PSADMIN;
     grant select on sys.dba_sys_privs to PSADMIN;
     grant select on sys.proxy_users to PSADMIN;
     grant select on sys.user$ to PSADMIN;
     grant select on sys.dba_profiles to PSADMIN;
     -- Password reset/lock/unlock of an account
     grant alter user to PSADMIN;
     grant select on sys.user$ to PSADMIN;
     grant select on sys.dba_profiles to PSADMIN;
   

     -- Creating an account
     grant create user to PSADMIN;
   

     -- Deleting an account
     grant drop user to PSADMIN;
   

     -- Adding/removing an account to/from a group (aka Oracle role)
     grant grant any role to PSADMIN;
   

     -- To allow special groups (RESOURCE,DBA) include the following:
     -- grant grant any privilege to PSADMIN;
   

     -- Creating/Deleting a group (aka Oracle role)
     grant create role to PSADMIN;
   

     grant drop any role to PSADMIN;

Note

Ensure to add a prefix C## or c## to the target system administrator account if the account is created as common user in an Oracle root container database; Also grant the target system administrator account permissions to access common roles and objects etc. if the target system administrator account is created as a local user in an Oracle pluggable database and the Oracle pluggable database is configured as a target system.

The connector agtora also supports external authentication by using Windows user login credentials to authenticate the target system administrator. Consult Oracle documentation for more details regarding how to create Oracle database users authenticated externally.

Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the target system to Bravura Security Fabric .

In this section: