Software: Apache. PHP/5.5.15 uname -a: Windows NT SVR-DMZ 6.1 build 7600 (Windows Server 2008 R2 Enterprise Edition) i586 SYSTEM Safe-mode: OFF (not secure) C:\Users\Administrator\Documents\win64_11gR2_client\client\doc\owb.112\e10579\ drwxrwxrwx |
Viewing file: security_mgmt.htm (68.11 KB) -rw-rw-rw- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
13 Managing SecurityThis section discusses how to implement security options for Oracle Warehouse Builder. This section includes the following topics: About Metadata SecurityWarehouse Builder enables you to define security on the metadata stored in the design repository. Warehouse Builder metadata security operates in conjunction with Oracle Database security, with Oracle Database provides security for data, while Warehouse Builder provides security for the metadata. In addition to being registered in the repository, all users must also be database users in the design repository database. Database users may access the data in the database by using SQL*Plus, but they cannot have access to Warehouse Builder and its metadata unless they are also registered in Warehouse Builder. Metadata security is both optional and flexible. You may choose not to apply any metadata security controls, or define a metadata security policy. You have the option to define multiple users, and apply either full security control or none. You may also implement a custom security strategy based on the security service. After you define a custom security strategy, you may adapt it over time to be more or less restrictive. The topics in this section describe how to implement metadata security using the Design Center. You may also implement security through OMB Plus. For more information, refer to the Oracle Warehouse Builder API and Scripting Reference. About the Security ServiceOnly users with administrative privileges can access the security service under Globals Navigator to manage users and roles of the security policy in Warehouse Builder. When you install Warehouse Builder and then use the Repository Assistant to create a design repository, Warehouse Builder makes the design repository owner the default administrator. The first time you start the Design Center after installation, you must log in as the design repository owner. You can then define additional administrators or other users as necessary. When you log into the Warehouse Builder Design Center as the design repository owner, it displays the Globals Navigator. Description of the illustration globals_navigator.gif To view default security settings:
For a complete list of all the tasks administrators can perform, see "Administrator Role". Evaluating Metadata Security StrategiesWarehouse Builder enables you to design a metadata security strategy that fits your implementation requirements. As you define your metadata security strategy, recognize that more restrictive policies are more time consuming to implement and maintain. Consider modeling your strategy based on one of the following security strategies: Minimal Metadata Security Strategy (Default)Minimal metadata security is the default security policy when you create a new design repository. As your project requirements change over time, you may apply other metadata security strategies. For example, you may not need extra metadata security if you are implementing an internal pilot project, or if you anticipate only few trusted users. In the case of a minimal metadata security strategy, all users may log into Warehouse Builder with the same user name and password, that of the design repository owner. Oracle Database security policies keep the data in the design repository secure, and the metadata is available to anyone who knows the design repository owner logon information. All users can create, edit, and delete all objects. Multiuser Security StrategyIf your implementation has multiple users and you want to track who performs what operations, implement a multiuser security strategy. This strategy restricts to a single user the rights and access granted to the design repository owner. Although this strategy does not restrict user access to metadata objects, you can apply restrictions at a later date. To implement security for multiple users: Log into Warehouse Builder as an administrator and complete the instructions in the following sections: Full Metadata Security StrategyThis section describes a process for applying all the metadata security options available in Warehouse Builder. You can enable all or some of these options. For instance, you could take steps one through three but ignore the remaining steps. Be sure to edit the security properties for all projects in the Project Navigator. By default, the To implement full metadata security for multiple users: Log into Warehouse Builder as an administrator and complete the instructions in the following sections:
Registering Database UsersAll Warehouse Builder users must also be Oracle Database users. You can create new OWB users in one of two ways:
For security reasons, you cannot register database administrator users, for example Registering Existing Database UsersThis section explains how to register existing database users. To register existing database users:
Creating New Oracle Database UsersThis section explains how to create new database users. You must have the database system privilege To create a new database user:
Changing Database Default RolesFor security reasons, you cannot register database users that have Fix Now If you select the Fix Now option, type the user name and password with For example, when you register new users, the database role alter user username default role all except OWB$CLIENT Fix Later If you select the Fix Later option, the user is not registered. You must manually change the default role setting in the database using SQL, and then register the user in OWB. To manually change the setting, connect to the database as a user with the Note the following SQL script for changing the default roles of selected users. It changes the default role setting so that any role subsequently granted to the user cannot be the default role of that user. To change this, register the user and then issue a the following command: alter user username default role all except OWB$CLIENT Editing User ProfilesFor each user, you can enter an optional description, assign the user to existing Roles, specify the Default Object Privilege and the System Privileges. These are Oracle Database users, so you cannot rename a user in OWB; you must do that trough Oracle Database. Note that the granting or revoking of roles and privileges only takes effect in the next session OWB. To edit a user profile:
RolesYou can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then the user is granted the more permissive privilege, which is the union of all the privileges granted to the multiple roles. For example, if you assign to the same user a role that allows creating a snapshot and a role that restricts it, then the user is allowed to create snapshots. If you want to assign a user to a role that does not display on the Available Roles List, close the editor, create the new role, and then edit the user account. To create a new role, right-click Roles under the Security node in the Globals Navigator and select New Role. For information on creating and editing roles, see Defining Security Roles and Editing Role Profiles. Default Object PrivilegeDefault object privileges define the access other users and roles have to objects that the selected user creates. These privileges do not impact the privileges the user has for accessing objects created by other users. For example, for all objects that Description of the illustration object_priv_01.gif If you are familiar with UNIX operating system security, note that the default object privilege is similar to the To define the privileges other users have to objects the selected user creates, check the appropriate box for each role or user. You can grant the following privileges: FULL CONTROL, EDIT, COMPILE, and READ. All the privileges are additive. If you select COMPILE, then you apply both the compile and read privileges. Note that access may be granted both to roles and to individual users. Note, however, that when you grant access to a role, the privilege is extended to all users in that role. For example, even though By default, when you create a new user, the Securing Metadata Objects Throughout their Life Cycle Default object privileges work in conjunction with object security properties to provide security options throughout the life cycle of a given metadata object. Settings you specify on the Default Object Privilege tab persist until a qualified user overrides the restrictions, on an object-by-object basis. Assume that Description of the illustration object_priv_02.gif For more details on overriding the default security on an object by object basis, see "Applying Security Properties on Specific Metadata Objects". Object PrivilegesObject privileges apply to all metadata objects in the repository including projects, modules, and collections. FULL CONTROL Full control includes all the other privileges plus the ability to grant and revoke privileges on an object. Only users with full control over an object can override default security on an object-by-object basis as described in "Applying Security Properties on Specific Metadata Objects". EDIT The edit privilege includes the compile, and read privileges. Additionally, edit allows users to delete, rename, and modify an object. COMPILE The compile privilege includes the read privilege and enables you to validate and generate an object. READ The read privilege enables you to view an object. System PrivilegesSystem privileges define user access to workspace-wide services. Use the System Privilege tab to allow or restrict users and roles from performing administrative tasks. You can control access to the following operations: Description of the illustration system_priv_01.gif
Support for a Multiple-user EnvironmentWarehouse Builder enables multiple users to access the same Warehouse Builder repository at the same time by managing read/write privileges. Only one user is given write privileges to an object at any given time. All other users can have read-only access. If a user has write access to an object, Warehouse Builder maintains a lock on the object while the object editor is open. If no changes were made to the object, then the lock is released as soon as the object editor is closed. If changes were made, then the lock is maintained until the user closes all editors associated with the object and either saves the changes or reverts to the last saved version. Other users cannot delete an object while it is in use. Read/Write ModeWhenever you open an editor, property sheet, or dialog box, you access objects in read/write mode by default. Your changes are available to other users only after you save them to the repository. Read-Only ModeIf you attempt to open an object locked by another user, or if you have only A user who is editing an object in Defining Security RolesYou can use roles to represent groups of users with similar responsibilities and privileges. Unlike users which are also database users, these roles are not database roles. These roles are purely design constructs for implementing security within the product. Roles enable you to more efficiently manage privileges because it is more efficient to grant or restrict privileges to a single role rather than multiple users. The Everyone Role and the Administrator Role are predefined roles. You edit the privileges but cannot delete or rename the predefined roles. To create a new role:
Everyone RoleUse this role to easily manage privileges for all users. When you register new users, Warehouse Builder assigns those users to the Administrator RoleAdministrators in Warehouse Builder can perform various security tasks, such as:
Editing Role ProfilesFor each role that you create, you can edit the name, enter an optional description, assign the role to existing Users, and specify the system privilege. You cannot rename or edit the descriptions for the predefined roles To alter default security privileges for a role:
UsersYou can assign multiple users to a role. If you want to assign a user that does not display on the Available Users list, then close the editor, create the user from the Security node in the Globals Navigator, and then edit the role. To create a new user, right-click Users from the Security node and select New User. For information on creating and editing users, see Registering Database Users and Editing User Profiles. Applying Security Properties on Specific Metadata ObjectsYou can grant or restrict access to metadata objects on an object-by-object basis. To change security properties of a specific metadata object:
Security TabUse the Security tab to define metadata security on an object-by-object basis. Only users that have full control privileges on an object can change the metadata access controls on the Security tab. Security properties are important in managing the life cycle of your projects, as described in "Example: Using Security Properties to Freeze a Project Design". While the Default Object Privilege defines metadata security for objects a specific user creates, the Security tab overrides that metadata security policy on an object-by-object basis. Assume that To enforce a full metadata strategy, edit the security properties for all projects in the Project navigator. By default, the Propagating Security Properties to Child Objects You can apply security properties to an object and all its children by selecting Propagate on the Security tab. This option is disabled when you select an object that cannot have child objects. Example: Using Security Properties to Freeze a Project DesignWhen users complete the design of a project, you may want to freeze the contents of the project. Once you complete the following steps, only administrators can change the objects in the project. To freeze a project design:
Security EnforcementWhen any user attempts to perform an operation in Warehouse Builder, Warehouse Builder first verifies that the user has the required privileges to perform the operation. Table 13-1 lists the privileges required to run operations in Warehouse Builder. Table 13-1 Privileges Required for the Execution of Operations
Managing Passwords in Warehouse BuilderYou can manage passwords within Warehouse Builder in the following ways: Credential Memory on Logon PanelThe logon dialog that appears when the Warehouse Builder Design Center is launched retains a list of previously used credentials. This is a convenience for Design Center users who frequently work with the same workspaces. The feature enables OWB to remember log in information. Changing Passwords that Access Warehouse BuilderIn keeping with standard security practices, you may want to periodically change the passwords used to access Warehouse Builder repositories. Changing Passwords that Access Design Repositories Manage the password to design repositories as you would any other Oracle Database. Changing Passwords that Access Control Centers To change the password for a repository that hosts a Control Center and is therefore a deployment environment, you must first stop the Control Center service, run a script to change the password, and restart the Control Center service. To change the password for a repository that hosts a Control Center:
Encrypting Passwords to Warehouse Builder LocationsWarehouse Builder users create a location for each database, file server, or application that want to extract or load metadata and data. Locations include the user name and password used to access these various sources and targets. Warehouse Builder can store these passwords in the repository in an encrypted manner. The switch that turns on and off the password storage is Persist Location Password in Metadata, which is located in the Design Center under Tools, Preferences, Security Parameters. The default encryption algorithm utilized is encryption_client; default = REQUIRED encryption_types_client; default = ( DES56C ) crypto_checksum_client; default = REQUESTED crypto_checksum_types_client; default = ( MD5 ) For the protocol to work, set the server to the default |
:: Command execute :: | |
--[ c99shell v. 1.0 pre-release build #13 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0468 ]-- |