Enterprise User Proxy

Sometimes, an enterprise user needs to connect to a database as another user, temporarily having the target user's authorizations and privileges. This capability is particularly useful for midtier tools or applications, which often operate across various databases as enterprise users, their identities established as entries in Oracle Internet Directory. Such an application can maintain a single database connection while switching end user identities, thereby providing functionality in the name of each authorized user in turn.

Enterprise User Security 11g Release 1 (11.1) enhanced the efficiency of the proxy mechanism by introducing a single-session model. The two-session proxy model required maintaining separate sessions for the proxy user and the target user. In the new model, only one session is maintained in the security context of the target user. This leads to an improvement in performance.

Enterprise User Security 11g Release 1 (11.1), and later, allows greater granularity in assigning proxy permissions to enterprise users. Enterprise users can be individually granted permissions to proxy as local database users. The permissions no longer need to be associated with the user's shared schema in the database.

Being able to assign proxy permissions individually to enterprise users means that the permissions can be more specific. Assigning permissions to a shared schema, on the other hand, forces you to assign the same permissions to all users who map to the schema. This can lead to unwarranted rights and privileges.

Enterprise user proxy permissions are created and stored in Oracle Internet Directory. A permission allows one or more enterprise users or groups to proxy as a target database user. Permissions can apply to specific databases or to all databases in the enterprise domain.

By default, domain administrators can manage proxy permissions in the directory for an enterprise domain. These permissions are configured and managed using Oracle Enterprise Manager.

See Also:

For more information on configuring enterprise user proxy permissions, see "Configuring Proxy Permissions"

Setting up such proxying has several stages:

  1. Identify all enterprise users who need permissions to proxy to various databases.

  2. Identify all the target users in each such database.

  3. Issue ALTER USER commands for each such target user, in the following form:

    • ALTER USER target_user GRANT CONNECT THROUGH ENTERPRISE USERS

    The target_user can now be proxied to by the enterprise users that have proxy permissions in Oracle Internet Directory. Revoking proxy permission uses similar syntax, replacing GRANT with REVOKE.

    See Also:

    For the full ALTER USER syntax, see Oracle Database SQL Language Reference

    For Oracle Call Interface usage, see Oracle Call Interface Programmer's Guide

  4. Grant proxy permissions to each enterprise user either individually or as a member of a group. See the section entitled "Granting Proxy Permissions to Enterprise Users".

    Note:

    To establish a group representing those enterprise users who will proxy to the same database user, use Oracle Delegated Administration Services as described in the Oracle Identity Management Guide to Delegated Administration.

  5. With all four of the preceding steps accomplished, your identified enterprise users can proxy to any of the local database users you identified and associated with them. Two versions of the CONNECT command can be used. In (a), you supply the enterprise user's password in the command. In (b), you do not, relying instead on the password being in a wallet whose location was put in the sqlnet.ora file.

    1. To establish an enterprise user proxy connection as a database user, use the following SQL*Plus command syntax, supplying the enterprise user's password:

      • CONNECT joeproxy[targetuser]@database_service_name
Enter Password:

        where you would replace joeproxy with the name of the enterprise user wishing to proxy as targetuser, and replace targetuser with the name of the registered user of the target database. The square brackets are required. Enter the enterprise user's password when prompted for the password.

      Once these identities are validated, this connection request results in a single session, in which the proxy user operates in the target database as the target user. The identity of the original user is maintained through to the database, and the audit records can capture both the proxy and the target user's identity.

    2. To connect as an enterprise user proxy for a database user without specifying a password, ensure that the sqlnet.ora file contains the location of the wallet holding that user's password. Then, use the following command syntax:

      • CONNECT  [targetuser]/@database_service_name

        where you would replace targetuser with the name of the registered user of the target database. The square brackets are required. The current enterprise user proxies as the targetuser.

Note:

The regular proxy login mechanism using OCI calls can still be used. The CONNECT syntax is a new alternative. For more information on the OCI call mechanism, refer to Oracle Database Security Guide.

Although the enterprise user proxy permissions are assigned in Oracle Internet Directory, the database administrator can decide which local accounts are to be available as enterprise user proxy targets. The enterprise domain administrator can assign proxy permissions to only those targets that are available in the dba_proxies view of the database.