How to create a new user account in OBIEE 12c? What is LDAP?
enter image description here
I go to Application Roles to create a role.
See: Provider Oracle Database (not LDAP)
Honest answer is "it depends".
OBI comes with a security provider which is embedded inside Weblogic where you can manage users and groups.
I say can because that's an approach which Oracle itself does not suggest for production systems. Pretty much every implementation uses some proper enterprise level LDAP or MS Active Directory which is then configured as an additional security provider for the Weblogic backend.
Best first try to understand how security works and then take your decision based on what is the most appropriate for your use case:
https://youtu.be/JUCZwQOmBn8
Related
I am new to development and learning through lot of youtube videos and oracle documentation. I have a question for which I was not able to find a solution online and was hoping someone could help answer it here..
I want to use oracle free tier cloud based autonomous transactional database and create the rest api on it using the below url as a reference.
https://oracle.github.io/learning-library/developer-library/rest-services-for-adb-appDevLive/workshops/freetier/?lab=secure-endpoints#Task1:SecuringtheRESTEndpoint
However my question is if I create a web app where I can get the user to create account using username and password, what is the best practice to store the data and retrive for auth in the oracle database for auth user.
Is there a credentials table where I can store all the username and password details or should I use a encypted table.
Also, Can someone please help advise how to create sql post method query to retrieve the user creds for validation.
Thank you for all your guidence.
Thank you!
In the database you have a schema - this is the collection of objects -
tables
views
stored procedures
rest apis
these are owned by a USER. A database user and schema in Oracle are largely synonymous and a user will have a password.
You then also have your application. Your application most likely also has users. These are completely different users than what you have in the database.
Now, your application COULD use database authentication, but that's highly not recommended. Why? Because then your application users could also theoretically go directly into the database.
It's not clear by your question if you're asking how to manage database usernames and passwords in general or if you mean in terms of your application.
For your application, we recommend you use either our OAuth2 workflows to secure your REST APIs, or you build your own authentication system...for example you could control access to your APIs in the Oracle Cloud using the API Gateway Service.
For managing passwords in the database, you should most definitely NOT store those in a table somewhere. THe user when they get their password, should securely manage that as they would the password to their online banking system.
The web interface we have would work just fine with online password managers like LastPass, but I'm not personally advocating or saying that would be good for your scenario.
Running SQL to find out someone's password isn't really what we do in Oracle. Either you already know it, or you change the password to something so that you definitely know it.
I configure store user into database (SQL Server) on bpm suite v6.4.0. How to insert user into database (don't insert by manual), i want know bpm suite v6.4.0 have library support for this doesn't. I don't find document mention this problem.
Thanks for any idea or your help
Authentication/authorization is delegated to an underlying security configuration. I assume you are configuring your security domain to retrieve login information from database? jBPM has some basic user and group mgmt UI (for creating users / groups etc.) that will push these changes to the underlying service. We do have an adapter for RH-SSO so I would recommend to configure your app server to delegate authentication/authorization to RH-SSO, which could be configured to use a database for storing users.
I am not a DBA, and am having a hard time conveying the need for an ACL to allow LDAP authentication from my Oracle Apex instance out to my domain controller, which is mycompany.net port 3268.
Do I need to create the ACL and assign the ACL to the APEX_0400 user, or to the parsing schema of the application I will be using LDAP authentication for. Is it the parsing schema which makes the LDAP request on behalf of the application, or the central APEX_0400 schema.
Or is the ACL something which is created at the instance level, i.e. it may need an owner/principle defining to own the ACL, but the ACL applies to the Oracle instance as a whole and I dont need to grant the ACL to individual Oracle schemas?
Any advice appreciated.
Depends.
Using the built-in LDAP authentication scheme will make it so the apex user will make the calls. Meaning you'll need to grant privileges to the correct APEX_###### user - refer to the documentation for your version on which user this is. (4.2 = APEX_040200, 5 = APEX_050000)
Also read: Enabling Network Services in Oracle Database 11g or Later (Apex 5 Docs)
If you want to make your own calls from the database, you'll need to grant the privilege to that user (too) (usually the parsing schema). For example, you're running some additional queries over LDAP.
Either way: the network ACL was made to increase security. If you want to set the gates wide open to allow all network traffic that's entirely your choice. I've been in a firm where there were many schema's and it's never bothered me to correctly assign the ACL privileges. It's a one-time operation usually and all changes are tracked and in a repo.
If you ever get a security audit, would it fly? Where in the network is the database? What sort of apps are hosted, are they public? Don't remove security in favour of ease-of-use.
I would like to make benefit of ADF security features by enabling it in my application, the application's identity store is a database table. How is it possible to let ADF authenticates users based on this identity store?
How are enterprise roles, and application roles mapped to the user defined in database?
I am using WebLogic as a web container.
To use enterprise roles and users from database you need a configuration like described in this blog:
http://soadev.blogspot.co.uk/2010/04/sqlauthenticator-simply-best.html
Every enterprise role name will be automatically converted to Application Role. So you won't need a an explicit mapping.
I know that it is possible to use "OS authentication" to authenticate Windows users in Oracle database. The process is basically passing current Windows user id to Oracle for authentication.
The question is - is it possible to authenticate domain group in Oracle (as it is possible with SQL Server integrated security), so that there would be no need to create separate database user for each domain member?
It is possible.
Oracle has a whitepaper on this, and here's a tutorial,
I don't think this is possible, but I would love to be proven wrong.