Edit D:\rfid\database\database\doc\owb.112\e10579\security_mgmt.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta http-equiv="Content-Language" content="en" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <meta name="robots" content="all" scheme="http://www.robotstxt.org/" /> <meta name="generator" content="Oracle DARB XHTML Converter (Mode = document) - Version 5.1" /> <meta name="Date" content="2009-07-31T16:48:26Z" /> <meta name="doctitle" content="Oracle® Warehouse Builder Installation and Administration Guide 11g Release 2 (11.2) for Windows and Linux" /> <meta name="partno" content="E10579-01" /> <meta name="docid" content="WBINS" /> <link rel="Start" href="../../index.htm" title="Home" type="text/html" /> <link rel="Copyright" href="../../dcommon/html/cpyr.htm" title="Copyright" type="text/html" /> <link rel="Stylesheet" href="../../dcommon/css/blafdoc.css" title="Default" type="text/css" /> <script type="text/javascript" src="../../dcommon/js/doccd.js"> </script> <link rel="Contents" href="toc.htm" title="Contents" type="text/html" /> <link rel="Index" href="index.htm" title="Index" type="text/html" /> <link rel="Prev" href="change_mgmt.htm" title="Previous" type="text/html" /> <link rel="Next" href="appendix_troubleshooting.htm" title="Next" type="text/html" /> <link rel="alternate" href="../e10579.pdf" title="PDF version" type="application/pdf" /> <title>Managing Security</title> </head> <body> <div class="header"> <div class="zz-skip-header"><a name="top" id="top" href="#BEGIN">Skip Headers</a></div> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"><b>Oracle® Warehouse Builder Installation and Administration Guide<br /> 11<i>g</i> Release 2 (11.2) for Windows and Linux</b><br /> Part Number E10579-01</td> <td valign="bottom" align="right"> <table class="icons oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="245"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img width="24" height="24" src="../../dcommon/gifs/doclib.gif" alt="Go to Documentation Home" /><br /> <span class="icon">Home</span></a></td> <td align="center" valign="top"><a href="../../nav/portal_booklist.htm"><img width="24" height="24" src="../../dcommon/gifs/booklist.gif" alt="Go to Book List" /><br /> <span class="icon">Book List</span></a></td> <td align="center" valign="top"><a href="toc.htm"><img width="24" height="24" src="../../dcommon/gifs/toc.gif" alt="Go to Table of Contents" /><br /> <span class="icon">Contents</span></a></td> <td align="center" valign="top"><a href="index.htm"><img width="24" height="24" src="../../dcommon/gifs/index.gif" alt="Go to Index" /><br /> <span class="icon">Index</span></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img width="24" height="24" src="../../dcommon/gifs/feedbck2.gif" alt="Go to Feedback page" /><br /> <span class="icon">Contact Us</span></a></td> </tr> </table> </td> </tr> </table> <hr /> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <tr> <td align="left" valign="top"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="98"> <tr> <td align="center" valign="top"><a href="change_mgmt.htm"><img width="24" height="24" src="../../dcommon/gifs/leftnav.gif" alt="Go to previous page" /><br /> <span class="icon">Previous</span></a></td> <td align="center" valign="top"><a href="appendix_troubleshooting.htm"><img width="24" height="24" src="../../dcommon/gifs/rightnav.gif" alt="Go to next page" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </td> <td align="right" valign="top" style="font-size: 90%"><a href="../e10579.pdf">View PDF</a></td> </tr> </table> <a name="BEGIN" id="BEGIN"></a></div> <div class="IND"><!-- End Header --><a id="BGBCJHCG" name="BGBCJHCG"></a><a id="WBINS15000" name="WBINS15000"></a> <h1 class="chapter"><span class="secnum">13</span> Managing Security</h1> <p>This section discusses how to implement security options for Oracle Warehouse Builder.</p> <p>This section includes the following topics:</p> <ul> <li> <p><a href="#CHDFDBFG">About Metadata Security</a></p> </li> <li> <p><a href="#BGBJAJEI">Evaluating Metadata Security Strategies</a></p> </li> <li> <p><a href="#BGBEBFEG">Registering Database Users</a></p> </li> <li> <p><a href="#BGBEBCEC">Editing User Profiles</a></p> </li> <li> <p><a href="#i1086659">Support for a Multiple-user Environment</a></p> </li> <li> <p><a href="#BGBHADFE">Defining Security Roles</a></p> </li> <li> <p><a href="#BGBDAFIF">Editing Role Profiles</a></p> </li> <li> <p><a href="#BGBJADJD">Applying Security Properties on Specific Metadata Objects</a></p> </li> <li> <p><a href="#CDDJIFJF">Security Enforcement</a></p> </li> <li> <p><a href="#BGBFFECD">Managing Passwords in Warehouse Builder</a></p> </li> </ul> <a id="CHDFDBFG" name="CHDFDBFG"></a><a id="WBINS15100" name="WBINS15100"></a> <div class="sect1"> <h2 class="sect1">About Metadata Security</h2> <p><a id="ABC1289612" name="ABC1289612"></a><a id="ABC1289612SRI1" name="ABC1289612SRI1"></a>Warehouse Builder enables you to define security on the metadata stored in the design repository. Warehouse Builder metadata security operates in conjunction with Oracle Database security, with Oracle Database provides security for data, while Warehouse Builder provides security for the metadata.</p> <p>In addition to being registered in the repository, all users must also be database users in the design repository database. Database users may access the data in the database by using SQL*Plus, but they cannot have access to Warehouse Builder and its metadata unless they are also registered in Warehouse Builder.</p> <p>Metadata security is both optional and flexible. You may choose not to apply any metadata security controls, or define a metadata security policy. You have the option to define multiple users, and apply either full security control or none. You may also implement a custom security strategy based on the security service. After you define a custom security strategy, you may adapt it over time to be more or less restrictive.</p> <p>The topics in this section describe how to implement metadata security using the Design Center. You may also implement security through OMB Plus. For more information, refer to the Oracle Warehouse Builder API and Scripting Reference.</p> <a id="BGBFJGCJ" name="BGBFJGCJ"></a><a id="WBINS16271" name="WBINS16271"></a> <div class="sect2"> <h3 class="sect2">About the Security Service</h3> <p>Only users with administrative privileges can access the security service under Globals Navigator to manage users and roles of the security policy in Warehouse Builder.</p> <p>When you install Warehouse Builder and then use the Repository Assistant to create a design repository, Warehouse Builder makes the design repository owner the default administrator. The first time you start the Design Center after installation, you must log in as the design repository owner. You can then define additional administrators or other users as necessary.</p> <p>When you log into the Warehouse Builder Design Center as the design repository owner, it displays the Globals Navigator.</p> <img width="309" height="212" src="img/globals_navigator.gif" alt="This illustration is described in the surrounding text." title="This illustration is described in the surrounding text." longdesc="img_text/globals_navigator.htm" /><br /> <a id="sthref630" name="sthref630" href="img_text/globals_navigator.htm">Description of the illustration globals_navigator.gif</a><br /> <br /> <a id="WBINS16365" name="WBINS16365"></a> <p class="subhead2">To view default security settings:</p> <ol> <li> <p>In Globals Navigator, expand Security.</p> </li> <li> <p>Expand Users, and then expand Roles.</p> <img width="311" height="298" src="img/security_01.gif" alt="Description of security_01.gif follows" title="Description of security_01.gif follows" longdesc="img_text/security_01.htm" /><br /> <a id="sthref631" name="sthref631" href="img_text/security_01.htm">Description of the illustration security_01.gif</a><br /> <br /></li> <li> <p>Notice that there are two predefined roles, <code>ADMINISTRATOR</code> and <code>EVERYONE</code>.</p> </li> <li> <p>The one predefined user is the design repository owner; it is assigned the <code>ADMINISTRATOR</code> role by default.</p> <p>To view or edit the details for a user, in the globals Navigator, under Security and then under Users, select that and double-click the user. The Edit User screen appears.</p> <img width="549" height="256" src="img/security_02.gif" alt="Description of security_02.gif follows" title="Description of security_02.gif follows" longdesc="img_text/security_02.htm" /><br /> <a id="sthref632" name="sthref632" href="img_text/security_02.htm">Description of the illustration security_02.gif</a><br /> <br /></li> </ol> <p>For a complete list of all the tasks administrators can perform, see <a href="#BGBIHFGC">"Administrator Role"</a>.</p> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBJAJEI" name="BGBJAJEI"></a><a id="WBINS15200" name="WBINS15200"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Evaluating Metadata Security Strategies</h2> <p>Warehouse Builder enables you to design a metadata security strategy that fits your implementation requirements. As you define your metadata security strategy, recognize that more restrictive policies are more time consuming to implement and maintain.</p> <p>Consider modeling your strategy based on one of the following security strategies:</p> <ul> <li> <p><a href="#BGBHIDDD">Minimal Metadata Security Strategy (Default)</a></p> </li> <li> <p><a href="#BGBIEJFH">Multiuser Security Strategy</a></p> </li> <li> <p><a href="#BGBJEJEA">Full Metadata Security Strategy</a></p> </li> </ul> <a id="BGBHIDDD" name="BGBHIDDD"></a><a id="WBINS16273" name="WBINS16273"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Minimal Metadata Security Strategy (Default)</h3> <p><a id="sthref633" name="sthref633"></a><a id="sthref634" name="sthref634"></a>Minimal metadata security is the default security policy when you create a new design repository. As your project requirements change over time, you may apply other metadata security strategies. For example, you may not need extra metadata security if you are implementing an internal pilot project, or if you anticipate only few trusted users.</p> <p>In the case of a minimal metadata security strategy, all users may log into Warehouse Builder with the same user name and password, that of the design repository owner. Oracle Database security policies keep the data in the design repository secure, and the metadata is available to anyone who knows the design repository owner logon information. All users can create, edit, and delete all objects.</p> </div> <!-- class="sect2" --> <a id="BGBIEJFH" name="BGBIEJFH"></a><a id="WBINS16274" name="WBINS16274"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Multiuser Security Strategy</h3> <p><a id="sthref635" name="sthref635"></a><a id="sthref636" name="sthref636"></a><a id="sthref637" name="sthref637"></a><a id="sthref638" name="sthref638"></a>If your implementation has multiple users and you want to track who performs what operations, implement a multiuser security strategy. This strategy restricts to a single user the rights and access granted to the design repository owner. Although this strategy does not restrict user access to metadata objects, you can apply restrictions at a later date.</p> <a id="WBINS16335" name="WBINS16335"></a> <p class="subhead2">To implement security for multiple users:</p> <p>Log into Warehouse Builder as an administrator and complete the instructions in the following sections:</p> <ol> <li> <p><a href="#BGBEBFEG">Registering Database Users</a></p> </li> <li> <p><a href="#BGBEBCEC">Editing User Profiles</a></p> </li> </ol> </div> <!-- class="sect2" --> <a id="BGBJEJEA" name="BGBJEJEA"></a><a id="WBINS16275" name="WBINS16275"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Full Metadata Security Strategy</h3> <p><a id="sthref639" name="sthref639"></a><a id="sthref640" name="sthref640"></a>This section describes a process for applying all the metadata security options available in Warehouse Builder. You can enable all or some of these options. For instance, you could take steps one through three but ignore the remaining steps.</p> <p>Be sure to edit the security properties for all projects in the Project Navigator. By default, the <code>EVERYONE</code> role has <code>FULL_CONTROL</code> object privileges. To change this, select the project and then, from the View menu, select <span class="bold">Security</span>. Edit the privileges to the <code>EVERYONE</code> role to be more restrictive, and then press <span class="bold">Propagate Security Settings</span> icon on the upper left corner. This action applies the new restrictions to all children of this project. For newly created projects and other objects, use the default object privilege setting of OWB users to define access privileges.</p> <a id="WBINS16336" name="WBINS16336"></a> <p class="subhead2">To implement full metadata security for multiple users:</p> <p>Log into Warehouse Builder as an administrator and complete the instructions in the following sections:</p> <ol> <li> <p>Set the parameter <span class="bold">Default Metadata Security Policy</span> to maximum.</p> <p>In the Design Center select <span class="bold">Tools, Preferences,</span> expand <span class="bold">OWB</span>, and then select <span class="bold">Security Parameters.</span></p> </li> <li> <p><a href="#BGBEBFEG">Registering Database Users</a></p> </li> <li> <p><a href="#BGBEBCEC">Editing User Profiles</a></p> <p>The <span class="bold">Default Metadata Security Policy</span> you set in step one of these instructions is not retroactive. It applies only to users you register after changing the setting. You must manually edit the profiles of preexisting users.</p> </li> <li> <p><a href="#BGBHADFE">Defining Security Roles</a></p> </li> <li> <p><a href="#BGBEBCEC">Editing User Profiles</a></p> </li> <li> <p><a href="#BGBJADJD">Applying Security Properties on Specific Metadata Objects</a></p> </li> </ol> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBEBFEG" name="BGBEBFEG"></a><a id="WBINS15300" name="WBINS15300"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Registering Database Users</h2> <p><a id="sthref641" name="sthref641"></a><a id="sthref642" name="sthref642"></a><a id="sthref643" name="sthref643"></a>All Warehouse Builder users must also be Oracle Database users.</p> <p>You can create new OWB users in one of two ways:</p> <ul> <li> <p>Use Warehouse Builder to register existing database users, or to create new ones.</p> <p>Note that you must have the database <code>CREATE USER</code> privilege to create a new user.</p> </li> <li> <p>Create new database users and then register them in Warehouse Builder.</p> <p>Note that even though it is possible to create users in SQL Plus, Oracle recommends that you create users through the Warehouse Builder interface. This ensures that users are assigned all necessary roles and privileges.</p> </li> </ul> <p>For security reasons, you cannot register database administrator users, for example <code>SYS</code>. Also, the database default role settings must not be set to <code>ALL</code>. Note that OWB automatically sets the "database default role setting" for new users. You may change the database default role settings as described in <a href="#BCEHDBDH">"Changing Database Default Roles"</a>.</p> <a id="BGBBCDBI" name="BGBBCDBI"></a><a id="WBINS16276" name="WBINS16276"></a> <div class="sect2"> <h3 class="sect2">Registering Existing Database Users</h3> <p>This section explains how to register existing database users.</p> <a id="WBINS16366" name="WBINS16366"></a> <p class="subhead2">To register existing database users:</p> <ol> <li> <p>In the Globals Navigator, under Security, right-click Users and select <span class="bold">New User</span>.</p> <img width="302" height="314" src="img/new_user_01.gif" alt="Description of new_user_01.gif follows" title="Description of new_user_01.gif follows" longdesc="img_text/new_user_01.htm" /><br /> <a id="sthref644" name="sthref644" href="img_text/new_user_01.htm">Description of the illustration new_user_01.gif</a><br /> <br /> <p>The Create User: Welcome screen appears.</p> </li> <li> <p>On the Create User Welcome screen, click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_02.gif" alt="Description of new_user_02.gif follows" title="Description of new_user_02.gif follows" longdesc="img_text/new_user_02.htm" /><br /> <a id="sthref645" name="sthref645" href="img_text/new_user_02.htm">Description of the illustration new_user_02.gif</a><br /> <br /></li> <li> <p>On the Select DB user to register screen, under <span class="bold">Available DB Users</span>, select the user or users you want to register, and click the appropriate transfer icon to add the user or users to the <span class="bold">Selected Users</span> list.</p> <p>Click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_03.gif" alt="Description of new_user_03.gif follows" title="Description of new_user_03.gif follows" longdesc="img_text/new_user_03.htm" /><br /> <a id="sthref646" name="sthref646" href="img_text/new_user_03.htm">Description of the illustration new_user_03.gif</a><br /> <br /></li> <li> <p>On the Check to create a location screen, check Create option next to the user you are registering.</p> <p>Click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_04.gif" alt="Description of new_user_04.gif follows" title="Description of new_user_04.gif follows" longdesc="img_text/new_user_04.htm" /><br /> <a id="sthref647" name="sthref647" href="img_text/new_user_04.htm">Description of the illustration new_user_04.gif</a><br /> <br /></li> <li> <p>On the Summary screen, review the new user definition.</p> <p>Click <span class="bold">Finish</span>.</p> <img width="649" height="382" src="img/new_user_05.gif" alt="Description of new_user_05.gif follows" title="Description of new_user_05.gif follows" longdesc="img_text/new_user_05.htm" /><br /> <a id="sthref648" name="sthref648" href="img_text/new_user_05.htm">Description of the illustration new_user_05.gif</a><br /> <br /></li> <li> <p>The Register Users Progress appears. It disappears when registration is complete.</p> <img width="304" height="154" src="img/new_user_06.gif" alt="Description of new_user_06.gif follows" title="Description of new_user_06.gif follows" longdesc="img_text/new_user_06.htm" /><br /> <a id="sthref649" name="sthref649" href="img_text/new_user_06.htm">Description of the illustration new_user_06.gif</a><br /> <br /></li> <li> <p>Note that your new user is now listed under Users.</p> <img width="301" height="283" src="img/new_user_07.gif" alt="Description of new_user_07.gif follows" title="Description of new_user_07.gif follows" longdesc="img_text/new_user_07.htm" /><br /> <a id="sthref650" name="sthref650" href="img_text/new_user_07.htm">Description of the illustration new_user_07.gif</a><br /> <br /></li> </ol> </div> <!-- class="sect2" --> <a id="BABHHBFA" name="BABHHBFA"></a><a id="WBINS16278" name="WBINS16278"></a> <div class="sect2"> <h3 class="sect2">Creating New Oracle Database Users</h3> <p>This section explains how to create new database users. <a id="sthref651" name="sthref651"></a><a id="sthref652" name="sthref652"></a><a id="sthref653" name="sthref653"></a>You must have the database system privilege <code>CREATE USER</code>.</p> <a id="WBINS16367" name="WBINS16367"></a> <p class="subhead2">To create a new database user:</p> <ol> <li> <p>In the Globals Navigator, under Security, right-click Users and select <span class="bold">New User</span>.</p> <img width="302" height="314" src="img/new_user_01.gif" alt="Description of new_user_01.gif follows" title="Description of new_user_01.gif follows" longdesc="img_text/new_user_01.htm" /><br /> <a id="sthref654" name="sthref654" href="img_text/new_user_01.htm">Description of the illustration new_user_01.gif</a><br /> <br /> <p>The Create User: Welcome screen appears.</p> </li> <li> <p>On the Create User Welcome screen, click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_02.gif" alt="Description of new_user_02.gif follows" title="Description of new_user_02.gif follows" longdesc="img_text/new_user_02.htm" /><br /> <a id="sthref655" name="sthref655" href="img_text/new_user_02.htm">Description of the illustration new_user_02.gif</a><br /> <br /></li> <li> <p>On the Select DB user to register screen, click <span class="bold">Create DB User</span>.</p> <img width="649" height="382" src="img/new_user_08.gif" alt="Description of new_user_08.gif follows" title="Description of new_user_08.gif follows" longdesc="img_text/new_user_08.htm" /><br /> <a id="sthref656" name="sthref656" href="img_text/new_user_08.htm">Description of the illustration new_user_08.gif</a><br /> <br /></li> <li> <p>On the Create Database User screen, enter the <span class="bold">DBA password</span>, and the <span class="bold">Name</span> and <span class="bold">Password</span> (with confirmation) of the new user.</p> <p>Click <span class="bold">OK</span>.</p> <p>Note that you must specify a valid user name and password, and adhere to the security standard implemented on the Oracle Database. For more information about user names, passwords, and password complexity verification routines, refer to <span class="italic">Oracle Database Security Guide</span>.</p> <img width="404" height="474" src="img/new_user_09.gif" alt="Description of new_user_09.gif follows" title="Description of new_user_09.gif follows" longdesc="img_text/new_user_09.htm" /><br /> <a id="sthref657" name="sthref657" href="img_text/new_user_09.htm">Description of the illustration new_user_09.gif</a><br /> <br /></li> <li> <p>Note that on the Select DB user to register screen, the new user is automatically added to the Selected Users list.</p> <p>Click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_10.gif" alt="Description of new_user_10.gif follows" title="Description of new_user_10.gif follows" longdesc="img_text/new_user_10.htm" /><br /> <a id="sthref658" name="sthref658" href="img_text/new_user_10.htm">Description of the illustration new_user_10.gif</a><br /> <br /></li> <li> <p>On the Check to create a location screen, check Create option next to the user you are registering.</p> <p>Click <span class="bold">Next</span>.</p> <img width="649" height="382" src="img/new_user_11.gif" alt="Description of new_user_11.gif follows" title="Description of new_user_11.gif follows" longdesc="img_text/new_user_11.htm" /><br /> <a id="sthref659" name="sthref659" href="img_text/new_user_11.htm">Description of the illustration new_user_11.gif</a><br /> <br /></li> <li> <p>On the Summary screen, review the new user definition.</p> <p>Click <span class="bold">Finish</span>.</p> <img width="649" height="382" src="img/new_user_12.gif" alt="Description of new_user_12.gif follows" title="Description of new_user_12.gif follows" longdesc="img_text/new_user_12.htm" /><br /> <a id="sthref660" name="sthref660" href="img_text/new_user_12.htm">Description of the illustration new_user_12.gif</a><br /> <br /></li> <li> <p>The Register Users Progress appears. It disappears when registration is complete.</p> <img width="304" height="154" src="img/new_user_06.gif" alt="Description of new_user_06.gif follows" title="Description of new_user_06.gif follows" longdesc="img_text/new_user_06.htm" /><br /> <a id="sthref661" name="sthref661" href="img_text/new_user_06.htm">Description of the illustration new_user_06.gif</a><br /> <br /></li> <li> <p>Note that your new user is now listed under Users.</p> <img width="301" height="300" src="img/new_user_13.gif" alt="Description of new_user_13.gif follows" title="Description of new_user_13.gif follows" longdesc="img_text/new_user_13.htm" /><br /> <a id="sthref662" name="sthref662" href="img_text/new_user_13.htm">Description of the illustration new_user_13.gif</a><br /> <br /></li> </ol> </div> <!-- class="sect2" --> <a id="BCEHDBDH" name="BCEHDBDH"></a><a id="WBINS16279" name="WBINS16279"></a> <div class="sect2"> <h3 class="sect2">Changing Database Default Roles</h3> <p><a id="sthref663" name="sthref663"></a><a id="sthref664" name="sthref664"></a>For security reasons, you cannot register database users that have <code>ALL</code> default roles in the database. However, it is possible to change this default setting by correcting the role assignment. There are two options: <a href="#CDDHEBHI">Fix Now</a> and <a href="#BABCJFIA">Fix Later</a>.</p> <a id="CDDHEBHI" name="CDDHEBHI"></a><a id="WBINS16280" name="WBINS16280"></a> <p class="subhead2">Fix Now</p> <p>If you select the <span class="bold">Fix Now</span> option, type the user name and password with <code>SYSDBA</code> privileges. The user is registered, and the necessary commands are issued.</p> <p>For example, when you register new users, the database role <code><span class="codeinlineitalic">OWB_repository_name</span></code> is assigned to each user. For security reasons, this role must not be the default role of any registered user. If you attempt to register a user under these conditions and then select <span class="bold">Fix Now</span>, the user is registered and the following command is issued:</p> <pre xml:space="preserve" class="oac_no_warn">alter user <span class="italic">username</span> default role all except OWB$<span class="italic">CLIENT</span> </pre> <a id="BABCJFIA" name="BABCJFIA"></a><a id="WBINS16281" name="WBINS16281"></a> <p class="subhead2">Fix Later</p> <p>If you select the <span class="bold">Fix Later</span> option, the user is not registered. You must manually change the default role setting in the database using SQL, and then register the user in OWB. To manually change the setting, connect to the database as a user with the <code>ALTER USER</code> system privilege and issue the required commands.</p> <p>Note the following SQL script for changing the default roles of selected users. It changes the default role setting so that any role subsequently granted to the user cannot be the default role of that user. To change this, register the user and then issue a the following command:</p> <pre xml:space="preserve" class="oac_no_warn">alter user <span class="italic">username</span> default role all except OWB$<span class="italic">CLIENT</span> </pre></div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBEBCEC" name="BGBEBCEC"></a><a id="WBINS15400" name="WBINS15400"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Editing User Profiles</h2> <p><a id="sthref665" name="sthref665"></a><a id="sthref666" name="sthref666"></a>For each user, you can enter an optional description, assign the user to existing <a href="#CHDHBCDG">Roles</a>, specify the <a href="#CHDGJDAA">Default Object Privilege</a> and the <a href="#CHDGHJFD">System Privileges</a>.</p> <p>These are Oracle Database users, so you cannot rename a user in OWB; you must do that trough Oracle Database.</p> <p>Note that the granting or revoking of roles and privileges only takes effect in the next session OWB.</p> <a id="sthref667" name="sthref667"></a> <p class="subhead2">To edit a user profile:</p> <ol> <li> <p>In the Globals navigator, expand <span class="bold">Security</span>.</p> </li> <li> <p>Expand <span class="bold">Users</span>.</p> </li> <li> <p>Select the name of the user for editing. Right-click the user name, and select <span class="bold">Open</span>.</p> </li> <li> <p>The Edit User: Username screen appears. It contains the following options for editing</p> <ul> <li> <p><span class="bold">Name:</span> you cannot change the name itself, but the screen contains an editable <span class="bold">Description</span> text field.</p> </li> <li> <p><span class="bold">Roles:</span> you may assign various roles to the user by moving them from the list of Available Roles to the list of Granted Roles.</p> </li> <li> <p><span class="bold">Default Object Privilege:</span> you may assign default privileges to either Users or Roles by checking the appropriate boxes under <span class="bold">FULL_CONTROL</span>, <span class="bold">EDIT</span>, <span class="bold">COMPILE</span>, or <span class="bold">READ</span>.</p> </li> <li> <p><span class="bold">System Privilege:</span> you may assign system privileges to the user by checking appropriate boxes under Object System Privilege (<span class="bold">ACCESS_PUBLIC_VIEW_BROWSER</span>, <span class="bold">CREATE_PLATFORM</span>, <span class="bold">CREATE_PROJECT</span>, or <span class="bold">CREATE_SNAPSHOT</span>) and Control Center System Privilege (<span class="bold">CONTROL_CENTER_DEPLOYMENT</span>, <span class="bold">CONTROL CENTER_EXECUTION</span>, or <span class="bold">CONTROL_CENTER_VIEW</span>).</p> </li> </ul> </li> <li> <p>When the edits are complete, click <span class="bold">OK</span>.</p> </li> </ol> <a id="CHDHBCDG" name="CHDHBCDG"></a><a id="WBINS16282" name="WBINS16282"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Roles</h3> <p><a id="sthref668" name="sthref668"></a><a id="sthref669" name="sthref669"></a>You can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then the user is granted the more permissive privilege, which is the union of all the privileges granted to the multiple roles. For example, if you assign to the same user a role that allows creating a snapshot and a role that restricts it, then the user is allowed to create snapshots.</p> <p>If you want to assign a user to a role that does not display on the Available Roles List, close the editor, create the new role, and then edit the user account. To create a new role, right-click Roles under the Security node in the Globals Navigator and select <span class="bold">New Role</span>. For information on creating and editing roles, see <a href="#BGBHADFE">Defining Security Roles</a> and <a href="#BGBDAFIF">Editing Role Profiles</a>.</p> </div> <!-- class="sect2" --> <a id="CHDGJDAA" name="CHDGJDAA"></a><a id="WBINS16283" name="WBINS16283"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Default Object Privilege</h3> <p><a id="sthref670" name="sthref670"></a><a id="sthref671" name="sthref671"></a><a id="sthref672" name="sthref672"></a><a id="sthref673" name="sthref673"></a>Default object privileges define the access other users and roles have to objects that the selected user creates. These privileges do not impact the privileges the user has for accessing objects created by other users.</p> <p>For example, for all objects that <code>JANE_DOE</code> creates, <code>JANE_DOE</code>, as well as <code>ADMINISTRATOR</code> and <code>DEVELOPMENT</code> roles, have full access. Note that <code>EVERYONE</code>, <code>PRODUCTION</code>, and <code>TEST</code> roles are restricted to read-only.</p> <img width="817" height="582" src="img/object_priv_01.gif" alt="Description of object_priv_01.gif follows" title="Description of object_priv_01.gif follows" longdesc="img_text/object_priv_01.htm" /><br /> <a id="sthref674" name="sthref674" href="img_text/object_priv_01.htm">Description of the illustration object_priv_01.gif</a><br /> <br /> <p>If you are familiar with UNIX operating system security, note that the default object privilege is similar to the <code>UMASK</code> command. When you edit the default object privilege, the change only effects objects the user creates subsequently; there is no effect on previously created objects. Therefore, if you set default object privileges early, you can expect little or no additional object-level security management.</p> <p>To define the privileges other users have to objects the selected user creates, check the appropriate box for each role or user. You can grant the following privileges: <a href="#BCEEAEED">FULL CONTROL</a>, <a href="#BCEJDJHI">EDIT</a>, <a href="#BCEIECGG">COMPILE</a>, and <a href="#BCEDBDCE">READ</a>. All the privileges are additive. If you select COMPILE, then you apply both the compile and read privileges.</p> <p>Note that access may be granted both to roles and to individual users. Note, however, that when you grant access to a role, the privilege is extended to all users in that role. For example, even though <code>JOHN_DOE</code> is not specifically granted access, he has read access through the <code>EVERYONE</code> role. Furthermore, if <code>JOHN_DOE</code> is a member of the <code>DEVELOPMENT</code> role, he has full control and access.</p> <p>By default, when you create a new user, the <code>EVERYONE</code> role has full control on all objects. To enable metadata security, edit all user profiles and restrict the access the <code>EVERYONE</code> role has to objects each user creates.</p> <a id="WBINS16285" name="WBINS16285"></a> <p class="subhead2">Securing Metadata Objects Throughout their Life Cycle</p> <p>Default object privileges work in conjunction with object security properties to provide security options throughout the life cycle of a given metadata object. Settings you specify on the Default Object Privilege tab persist until a qualified user overrides the restrictions, on an object-by-object basis.</p> <p>Assume that <code>JANE_DOE</code> creates several mappings. When <code>JANE_DOE</code> designs and develops these objects, the security policy described earlier in this section may be desirable. However, assume that <code>JANE_DOE</code> completes the mappings and releases the objects to the testing team. In this case, the default object privilege is too restrictive. To extend access to the <code>TEST</code> role, <code>JANE_DOE</code> can select the mapping, then from the <span class="bold">View</span> menu, select <span class="bold">Security</span>. She can then manually add all necessary privileges to the <code>TEST</code> role.</p> <img width="588" height="267" src="img/object_priv_02.gif" alt="Description of object_priv_02.gif follows" title="Description of object_priv_02.gif follows" longdesc="img_text/object_priv_02.htm" /><br /> <a id="sthref675" name="sthref675" href="img_text/object_priv_02.htm">Description of the illustration object_priv_02.gif</a><br /> <br /> <p>For more details on overriding the default security on an object by object basis, see <a href="#BGBJADJD">"Applying Security Properties on Specific Metadata Objects"</a>.</p> <a id="WBINS16286" name="WBINS16286"></a> <div class="sect3"><a id="sthref676" name="sthref676"></a> <h4 class="sect3">Object Privileges</h4> <p>Object privileges apply to all metadata objects in the repository including projects, modules, and collections.</p> <a id="BCEEAEED" name="BCEEAEED"></a><a id="WBINS16287" name="WBINS16287"></a> <p class="subhead2">FULL CONTROL</p> <p>Full control includes all the other privileges plus the ability to grant and revoke privileges on an object. Only users with full control over an object can override default security on an object-by-object basis as described in <a href="#BGBJADJD">"Applying Security Properties on Specific Metadata Objects"</a>.</p> <a id="BCEJDJHI" name="BCEJDJHI"></a><a id="WBINS16288" name="WBINS16288"></a> <p class="subhead2">EDIT</p> <p>The edit privilege includes the compile, and read privileges. Additionally, edit allows users to delete, rename, and modify an object.</p> <a id="BCEIECGG" name="BCEIECGG"></a><a id="WBINS16289" name="WBINS16289"></a> <p class="subhead2">COMPILE</p> <p>The compile privilege includes the read privilege and enables you to validate and generate an object.</p> <a id="BCEDBDCE" name="BCEDBDCE"></a><a id="WBINS16290" name="WBINS16290"></a> <p class="subhead2">READ</p> <p>The read privilege enables you to view an object.</p> </div> <!-- class="sect3" --></div> <!-- class="sect2" --> <a id="CHDGHJFD" name="CHDGHJFD"></a><a id="WBINS16291" name="WBINS16291"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">System Privileges</h3> <p><a id="sthref677" name="sthref677"></a><a id="sthref678" name="sthref678"></a><a id="sthref679" name="sthref679"></a><a id="sthref680" name="sthref680"></a><a id="sthref681" name="sthref681"></a>Syste<a id="sthref682" name="sthref682"></a>m privileges define user access to workspace-wide services. Use the System Privilege tab to allow or restrict users and roles from performing administrative tasks.</p> <p>You can control access to the following operations:</p> <img width="636" height="551" src="img/system_priv_01.gif" alt="Description of system_priv_01.gif follows" title="Description of system_priv_01.gif follows" longdesc="img_text/system_priv_01.htm" /><br /> <a id="sthref683" name="sthref683" href="img_text/system_priv_01.htm">Description of the illustration system_priv_01.gif</a><br /> <br /> <ul> <li> <p><span class="bold">ACCESS_PUBLICVIEW_BROWSER:</span> Allows users to access the Repository Browser.</p> </li> <li> <p><span class="bold">CREATE_PLATFORM:</span> Allows users to create new platforms in the workspace using OMB*Plus.</p> </li> <li> <p><span class="bold">CREATE_PROJECT:</span> Allows users to create projects, which administrators create projects as a means of organizing metadata objects.</p> </li> <li> <p><span class="bold">CREATE_SNAPSHOT:</span> Allows users to create snapshots which administrators use when backing up workspaces.</p> </li> <li> <p><span class="bold">CONTROL_CENTER_DEPLOYMENT:</span> Allows users to deploy to the Control Center and then run those procedures.</p> </li> <li> <p><span class="bold">CONTROL_CENTER_EXECUTION:</span> Allows users to run procedures from the Control Center.</p> </li> <li> <p><span class="bold">CONTROL_CENTER_VIEW:</span> Allows users to view procedures from the Control Center.</p> </li> </ul> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="i1086659" name="i1086659"></a><a id="WBINS15500" name="WBINS15500"></a> <div class="sect1"> <h2 class="sect1">Support for a Multiple-user Environment<a id="sthref684" name="sthref684"></a><a id="sthref685" name="sthref685"></a><a id="sthref686" name="sthref686"></a></h2> <p>Warehouse Builder enables multiple users to access the same Warehouse Builder repository at the same time by managing read/write privileges. Only one user is given write privileges to an object at any given time. All other users can have read-only access. If a user has write access to an object, Warehouse Builder maintains a lock on the object while the object editor is open. If no changes were made to the object, then the lock is released as soon as the object editor is closed. If changes were made, then the lock is maintained until the user closes all editors associated with the object and either saves the changes or reverts to the last saved version. Other users cannot delete an object while it is in use.</p> <a id="WBINS16292" name="WBINS16292"></a> <div class="sect2"><a id="sthref687" name="sthref687"></a> <h3 class="sect2">Read/Write Mode<a id="sthref688" name="sthref688"></a><a id="sthref689" name="sthref689"></a><a id="sthref690" name="sthref690"></a><a id="sthref691" name="sthref691"></a><a id="sthref692" name="sthref692"></a></h3> <p>Whenever you open an editor, property sheet, or dialog box, you access objects in read/write mode by default. Your changes are available to other users only after you save them to the repository.</p> </div> <!-- class="sect2" --> <a id="WBINS16293" name="WBINS16293"></a> <div class="sect2"><a id="sthref693" name="sthref693"></a> <h3 class="sect2">Read-Only Mode<a id="sthref694" name="sthref694"></a><a id="sthref695" name="sthref695"></a><a id="sthref696" name="sthref696"></a><a id="sthref697" name="sthref697"></a><a id="sthref698" name="sthref698"></a></h3> <p>If you attempt to open an object locked by another user, or if you have only <code>READ</code> permissions for the object, then Warehouse Builder displays a message that prompts you either to cancel the request or access the object in read-only mode. If you choose to continue in read-only mode.</p> <p>A user who is editing an object in <code>READ</code>/<code>WRITE</code> mode may save changes while a user with read-only privileges views the object. To synchronize the object with the repository, click <span class="bold">Refresh</span>.</p> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBHADFE" name="BGBHADFE"></a><a id="WBINS15600" name="WBINS15600"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Defining Security Roles</h2> <p><a id="sthref699" name="sthref699"></a><a id="sthref700" name="sthref700"></a><a id="sthref701" name="sthref701"></a>You can use roles to represent groups of users with similar responsibilities and privileges. Unlike users which are also database users, these roles are not database roles. These roles are purely design constructs for implementing security within the product.</p> <p>Roles enable you to more efficiently manage privileges because it is more efficient to grant or restrict privileges to a single role rather than multiple users.</p> <p>The <a href="#BGBGIHEC">Everyone Role</a> and the <a href="#BGBIHFGC">Administrator Role</a> are predefined roles. You edit the privileges but cannot delete or rename the predefined roles.</p> <a id="sthref702" name="sthref702"></a> <p class="subhead2">To create a new role:</p> <ol> <li> <p>In the Globals navigator, expand <span class="bold">Security</span>.</p> </li> <li> <p>Under Security, select <span class="bold">Roles</span>.</p> </li> <li> <p>Right-click Roles, and select <span class="bold">New Role</span>.</p> <img width="334" height="339" src="img/new_role_01.gif" alt="Description of new_role_01.gif follows" title="Description of new_role_01.gif follows" longdesc="img_text/new_role_01.htm" /><br /> <a id="sthref703" name="sthref703" href="img_text/new_role_01.htm">Description of the illustration new_role_01.gif</a><br /> <br /></li> <li> <p>On the Create Warehouse Builder Role screen, enter the <span class="bold">Role Name</span>.</p> <img width="468" height="256" src="img/new_role_02.gif" alt="Description of new_role_02.gif follows" title="Description of new_role_02.gif follows" longdesc="img_text/new_role_02.htm" /><br /> <a id="sthref704" name="sthref704" href="img_text/new_role_02.htm">Description of the illustration new_role_02.gif</a><br /> <br /></li> <li> <p>Click <span class="bold">OK</span>.</p> </li> </ol> <a id="BGBGIHEC" name="BGBGIHEC"></a><a id="WBINS16294" name="WBINS16294"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Everyone Role</h3> <p><a id="sthref705" name="sthref705"></a>Use this role to easily manage privileges for all users. When you register new users, Warehouse Builder assigns those users to the <code>EVERYONE</code> role by default.</p> </div> <!-- class="sect2" --> <a id="BGBIHFGC" name="BGBIHFGC"></a><a id="WBINS16295" name="WBINS16295"></a> <div class="sect2"> <h3 class="sect2">Administrator Role</h3> <p><a id="sthref706" name="sthref706"></a><a id="sthref707" name="sthref707"></a>Administrators in Warehouse Builder can perform various security tasks, such as:</p> <ul> <li> <p><a href="#BGBEBFEG">Registering Database Users</a></p> </li> <li> <p><a href="#BGBEBCEC">Editing User Profiles</a></p> </li> <li> <p>Changing User Passwords</p> <p>You cannot change user passwords from within Warehouse Builder. Change passwords directly in the Oracle Database as described in <span class="italic">Oracle Database Security Guide</span>.</p> </li> <li> <p><a href="#BGBHADFE">Defining Security Roles</a></p> </li> <li> <p><a href="#BGBDAFIF">Editing Role Profiles</a></p> </li> <li> <p>Deleting Users and Roles</p> <p>You may delete users by right-clicking in the Globals navigator, and selecting <span class="bold">Delete.</span> You may delete all OWB users expect the repository owner. Note that this does not delete or alter the user account in the Oracle Database.</p> <p>You can delete all OWB users expect for the design repository owner. Deleting a user from OWB does not delete or alter the user account on the Oracle Database.</p> <p>You can delete all OWB roles expect <code>ADMINISTRATOR</code> and <code>EVERYONE</code> roles. Deleting a role from OWB does not delete or alter roles in the Oracle Database.</p> </li> <li> <p>Renaming Roles</p> <p>From the Globals Navigator, right-click a role and select <span class="bold">Rename.</span> You can rename all roles expect the predefined administrator and everyone roles.</p> </li> <li> <p><a href="#BGBJADJD">Applying Security Properties on Specific Metadata Objects</a></p> </li> </ul> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBDAFIF" name="BGBDAFIF"></a><a id="WBINS15700" name="WBINS15700"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Editing Role Profiles</h2> <p><a id="sthref708" name="sthref708"></a><a id="sthref709" name="sthref709"></a>For each role that you create, you can edit the name, enter an optional description, assign the role to existing <a href="#BGBIBIHE">Users</a>, and specify the system privilege. You cannot rename or edit the descriptions for the predefined roles <code>EVERYONE</code> and <code>ADMINISTRATOR</code>, nor can you delete them. Note that Warehouse Builder roles and database roles are separate constructs; therefore, deleting a Warehouse Builder role has no effect on the database. For more information on system privilege, see <a href="#CHDGHJFD">System Privileges</a>.</p> <a id="sthref710" name="sthref710"></a> <p class="subhead2">To alter default security privileges for a role:</p> <ol> <li> <p>In the Globals navigator, expand <span class="bold">Security</span>.</p> </li> <li> <p>Under Security, expand <span class="bold">Roles</span>.</p> </li> <li> <p>Select the role to edit, and right-click. From the menu, select <span class="bold">Open</span>.</p> <img width="393" height="394" src="img/edit_role_01.gif" alt="Description of edit_role_01.gif follows" title="Description of edit_role_01.gif follows" longdesc="img_text/edit_role_01.htm" /><br /> <a id="sthref711" name="sthref711" href="img_text/edit_role_01.htm">Description of the illustration edit_role_01.gif</a><br /> <br /></li> <li> <p>In the Edit Role: <span class="italic">RoleName</span> window, you may do any one of the following:</p> <ul> <li> <p><span class="bold">Name:</span> you cannot change the name itself, but the screen contains an editable <span class="bold">Description</span> text field.</p> <img width="628" height="274" src="img/edit_role_02.gif" alt="Description of edit_role_02.gif follows" title="Description of edit_role_02.gif follows" longdesc="img_text/edit_role_02.htm" /><br /> <a id="sthref712" name="sthref712" href="img_text/edit_role_02.htm">Description of the illustration edit_role_02.gif</a><br /> <br /></li> <li> <p><span class="bold">User:</span> you may assign various users to the role by moving them from the list of <span class="bold">Available Users</span> to the list of <span class="bold">Grantees</span>.</p> <img width="600" height="368" src="img/edit_role_03.gif" alt="Description of edit_role_03.gif follows" title="Description of edit_role_03.gif follows" longdesc="img_text/edit_role_03.htm" /><br /> <a id="sthref713" name="sthref713" href="img_text/edit_role_03.htm">Description of the illustration edit_role_03.gif</a><br /> <br /></li> <li> <p><span class="bold">System Privilege:</span> you may assign system privileges to the role by checking appropriate boxes under Object System Privilege (<span class="bold">ACCESS_PUBLIC_VIEW_BROWSER</span>, <span class="bold">CREATE_PLATFORM</span>, <span class="bold">CREATE_PROJECT</span>, or <span class="bold">CREATE_SNAPSHOT</span>) and Control Center System Privilege (<span class="bold">CONTROL_CENTER_DEPLOYMENT</span>, <span class="bold">CONTROL CENTER_EXECUTION</span>, or <span class="bold">CONTROL_CENTER_VIEW</span>).</p> <img width="606" height="392" src="img/edit_role_04.gif" alt="Description of edit_role_04.gif follows" title="Description of edit_role_04.gif follows" longdesc="img_text/edit_role_04.htm" /><br /> <a id="sthref714" name="sthref714" href="img_text/edit_role_04.htm">Description of the illustration edit_role_04.gif</a><br /> <br /></li> </ul> </li> <li> <p>When the edits are complete, click <span class="bold">OK</span>.</p> </li> </ol> <a id="BGBIBIHE" name="BGBIBIHE"></a><a id="WBINS16297" name="WBINS16297"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Users</h3> <p><a id="sthref715" name="sthref715"></a><a id="sthref716" name="sthref716"></a><a id="sthref717" name="sthref717"></a>You can assign multiple users to a role. If you want to assign a user that does not display on the Available Users list, then close the editor, create the user from the Security node in the Globals Navigator, and then edit the role. To create a new user, right-click <span class="bold">Users</span> from the Security node and select <span class="bold">New User</span>. For information on creating and editing users, see <a href="#BGBEBFEG">Registering Database Users</a> and <a href="#BGBEBCEC">Editing User Profiles</a>.</p> </div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="BGBJADJD" name="BGBJADJD"></a><a id="WBINS15800" name="WBINS15800"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Applying Security Properties on Specific Metadata Objects</h2> <p><a id="sthref718" name="sthref718"></a><a id="sthref719" name="sthref719"></a><a id="sthref720" name="sthref720"></a>You can grant or restrict access to metadata objects on an object-by-object basis.</p> <a id="sthref721" name="sthref721"></a> <p class="subhead2">To change security properties of a specific metadata object:</p> <ol> <li> <p>Select the metadata object for changing.</p> </li> <li> <p>From the View menu, select <span class="bold">Security</span>.</p> </li> <li> <p>Edit the security privileges for the object, granting and revoking them either at Role level, or at User level.</p> <img width="567" height="261" src="img/object_priv_03.gif" alt="Description of object_priv_03.gif follows" title="Description of object_priv_03.gif follows" longdesc="img_text/object_priv_03.htm" /><br /> <a id="sthref722" name="sthref722" href="img_text/object_priv_03.htm">Description of the illustration object_priv_03.gif</a><br /> <br /></li> <li> <p>When all changes are made, from the File menu, select <span class="bold">Save All</span>.</p> <p>Confirm changes.</p> </li> </ol> <a id="CHDDBHAH" name="CHDDBHAH"></a><a id="WBINS16298" name="WBINS16298"></a> <div class="sect2"> <h3 class="sect2">Security Tab</h3> <p>Use the Security tab to define metadata security on an object-by-object basis. Only users that have full control privileges on an object can change the metadata access controls on the Security tab. Security properties are important in managing the life cycle of your projects, as described in <a href="#BCEBEJDH">"Example: Using Security Properties to Freeze a Project Design"</a>.</p> <p>While the <a href="#CHDGJDAA">Default Object Privilege</a> defines metadata security for objects a specific user creates, the Security tab overrides that metadata security policy on an object-by-object basis. Assume that <code>JANE_DOE</code> is a developer that creates mappings and process flows. If you want all objects created by <code>JANE_DOE</code> made available to another developer, such as <code>JOHN_DOE</code>, then use the <a href="#CHDGJDAA">Default Object Privilege</a>. However, if you want to make only a few objects created by <code>JANE_DOE</code> available to <code>JOHN_DOE</code> or even every user who has a <code>TEST</code> role, locate each object in the Design Center and alter its security options.</p> <p>To enforce a full metadata strategy, edit the security properties for all projects in the Project navigator. By default, the <code>EVERYONE</code> role has its object privileges set to full control. Change the <code>EVERYONE</code> role privilege to be more restrictive and select <span class="bold">Propagate Security Settings</span> icon to apply the changes to all children.</p> <a id="WBINS16299" name="WBINS16299"></a> <p class="subhead2">Propagating Security Properties to Child Objects</p> <p>You can apply security properties to an object and all its children by selecting Propagate on the Security tab. This option is disabled when you select an object that cannot have child objects.</p> <a id="BCEBEJDH" name="BCEBEJDH"></a><a id="WBINS16300" name="WBINS16300"></a> <div class="sect3"><!-- infolevel="all" infotype="General" --> <h4 class="sect3">Example: Using Security Properties to Freeze a Project Design</h4> <p>When users complete the design of a project, you may want to freeze the contents of the project. Once you complete the following steps, only administrators can change the objects in the project.</p> <p><span class="bold">To freeze a project design:</span></p> <ol> <li> <p>Log on as user with administrator privileges.</p> </li> <li> <p>From the View menu, select <span class="bold">Security</span>.</p> <img width="238" height="415" src="img/security_03.gif" alt="Description of security_03.gif follows" title="Description of security_03.gif follows" longdesc="img_text/security_03.htm" /><br /> <a id="sthref723" name="sthref723" href="img_text/security_03.htm">Description of the illustration security_03.gif</a><br /> <br /></li> <li> <p>On the Security tab, restrict the privileges for all users and roles other than the administrators, as appropriate.</p> </li> <li> <p>Click <span class="bold">Propagate Security Settings</span> icon.</p> </li> </ol> </div> <!-- class="sect3" --></div> <!-- class="sect2" --></div> <!-- class="sect1" --> <a id="CDDJIFJF" name="CDDJIFJF"></a><a id="WBINS15900" name="WBINS15900"></a> <div class="sect1"> <h2 class="sect1">Security Enforcement</h2> <p><a id="sthref724" name="sthref724"></a><a id="sthref725" name="sthref725"></a>When any user attempts to perform an operation in Warehouse Builder, Warehouse Builder first verifies that the user has the required privileges to perform the operation. <a href="#BGBGHIAJ">Table 13-1</a> lists the privileges required to run operations in Warehouse Builder.</p> <div class="tblformal"><a id="WBINS16301" name="WBINS16301"></a><a id="sthref726" name="sthref726"></a><a id="BGBGHIAJ" name="BGBGHIAJ"></a> <p class="titleintable">Table 13-1 Privileges Required for the Execution of Operations</p> <table class="Formal" title="Privileges Required for the Execution of Operations" summary="Security checks that Warehouse Builder performs before allowing a given operation." dir="ltr" border="1" width="100%" frame="hsides" rules="groups" cellpadding="3" cellspacing="0"> <col width="34%" /> <col width="*" /> <thead> <tr align="left" valign="top"> <th align="left" valign="bottom" id="r1c1-t2">Warehouse Builder Operation</th> <th align="left" valign="bottom" id="r1c2-t2">Security Check</th> </tr> </thead> <tbody> <tr align="left" valign="top"> <td align="left" id="r2c1-t2" headers="r1c1-t2"> <p>Configure</p> </td> <td align="left" headers="r2c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on objects to be configured.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r3c1-t2" headers="r1c1-t2"> <p>Copy</p> </td> <td align="left" headers="r3c1-t2 r1c2-t2"> <p>User must have <code>READ</code> privilege on the object to be copied.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r4c1-t2" headers="r1c1-t2"> <p>Create object</p> </td> <td align="left" headers="r4c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on parent. For example, to create a mapping you must have <code>EDIT</code> privilege on the module.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r5c1-t2" headers="r1c1-t2"> <p>Cut</p> </td> <td align="left" headers="r5c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the object to be cut.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r6c1-t2" headers="r1c1-t2"> <p>Delete</p> </td> <td align="left" headers="r6c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the object to be deleted.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r7c1-t2" headers="r1c1-t2"> <p>Deploy</p> </td> <td align="left" headers="r7c1-t2 r1c2-t2"> <p>User must have <code>CONTROL_CENTER_DEPLOY</code> system privilege.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r8c1-t2" headers="r1c1-t2"> <p>Edit</p> </td> <td align="left" headers="r8c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the object to be edited.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r9c1-t2" headers="r1c1-t2"> <p>Export</p> </td> <td align="left" headers="r9c1-t2 r1c2-t2"> <p>User must have <code>READ</code> privilege on objects to be exported. Administrative users can export security information such as roles, users, and privileges when Export security information is enabled.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r10c1-t2" headers="r1c1-t2"> <p>Generate</p> </td> <td align="left" headers="r10c1-t2 r1c2-t2"> <p>User must have <code>COMPILE</code> privilege on object to be generated.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r11c1-t2" headers="r1c1-t2"> <p>Import</p> </td> <td align="left" headers="r11c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on objects to be exported. Administrative users can import security information such as roles, users, and privileges when Import security information is enabled.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r12c1-t2" headers="r1c1-t2"> <p>Move</p> </td> <td align="left" headers="r12c1-t2 r1c2-t2"> <p>User must have privileges listed for the Cut and Paste operations.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r13c1-t2" headers="r1c1-t2"> <p>Paste</p> </td> <td align="left" headers="r13c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the parent to receive the copied object.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r14c1-t2" headers="r1c1-t2"> <p>Rename</p> </td> <td align="left" headers="r14c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the object to be renamed.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r15c1-t2" headers="r1c1-t2"> <p>Snapshot: compare snapshots</p> </td> <td align="left" headers="r15c1-t2 r1c2-t2"> <p>To compare with another snapshot or other repository object, user must have <code>READ</code> privilege on that snapshot and the snapshot or other repository object.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r16c1-t2" headers="r1c1-t2"> <p>Snapshot: restore snapshot</p> </td> <td align="left" headers="r16c1-t2 r1c2-t2"> <p>To restore an object based on a snapshot, a user must have <code>READ</code> privilege on that object. To restore a folder, a user must have <code>EDIT</code> privilege on the folder and all of its children.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r17c1-t2" headers="r1c1-t2"> <p>Snapshot: take snapshot</p> </td> <td align="left" headers="r17c1-t2 r1c2-t2"> <p>User must have the <code>CREATE_SNAPSHOT</code> system privilege to create snapshots.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r18c1-t2" headers="r1c1-t2"> <p>Source import</p> </td> <td align="left" headers="r18c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on objects to be replaced by imported objects.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r19c1-t2" headers="r1c1-t2"> <p>Synchronize inbound</p> </td> <td align="left" headers="r19c1-t2 r1c2-t2"> <p>User must have <code>READ</code> privilege on the object in the repository and <code>EDIT</code> privilege on the object in the editor.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r20c1-t2" headers="r1c1-t2"> <p>Synchronize outbound</p> </td> <td align="left" headers="r20c1-t2 r1c2-t2"> <p>User must have <code>EDIT</code> privilege on the object in the repository.</p> </td> </tr> <tr align="left" valign="top"> <td align="left" id="r21c1-t2" headers="r1c1-t2"> <p>Validate</p> </td> <td align="left" headers="r21c1-t2 r1c2-t2"> <p>User must have <code>COMPILE</code> privilege on object to be validated.</p> </td> </tr> </tbody> </table> <br /></div> <!-- class="tblformal" --></div> <!-- class="sect1" --> <a id="BGBFFECD" name="BGBFFECD"></a><a id="WBINS15950" name="WBINS15950"></a> <div class="sect1"><!-- infolevel="all" infotype="General" --> <h2 class="sect1">Managing Passwords in Warehouse Builder<a id="sthref727" name="sthref727"></a><a id="sthref728" name="sthref728"></a></h2> <p>You can manage passwords within Warehouse Builder in the following ways:</p> <ul> <li> <p><a href="#BABJCCGE">Credential Memory on Logon Panel</a></p> </li> <li> <p><a href="#CHDGABGA">Changing Passwords that Access Control Centers</a></p> </li> <li> <p><a href="#CHDIGBAF">Encrypting Passwords to Warehouse Builder Locations</a></p> </li> </ul> <a id="BABJCCGE" name="BABJCCGE"></a><a id="WBINS16302" name="WBINS16302"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Credential Memory on Logon Panel</h3> <p>The logon dialog that appears when the Warehouse Builder Design Center is launched retains a list of previously used credentials. This is a convenience for Design Center users who frequently work with the same workspaces. The feature enables OWB to remember log in information.</p> </div> <!-- class="sect2" --> <a id="WBINS16303" name="WBINS16303"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --><a id="sthref729" name="sthref729"></a> <h3 class="sect2">Changing Passwords that Access Warehouse Builder</h3> <p><a id="sthref730" name="sthref730"></a><a id="sthref731" name="sthref731"></a>In keeping with standard security practices, you may want to periodically change the passwords used to access Warehouse Builder repositories.</p> <a id="WBINS16304" name="WBINS16304"></a> <p class="subhead2">Changing Passwords that Access Design Repositories</p> <p>Manage the password to design repositories as you would any other Oracle Database.</p> <a id="CHDGABGA" name="CHDGABGA"></a><a id="WBINS16305" name="WBINS16305"></a> <p class="subhead2">Changing Passwords that Access Control Centers</p> <p>To change the password for a repository that hosts a Control Center and is therefore a deployment environment, you must first stop the Control Center service, run a script to change the password, and restart the Control Center service.</p> <p>To change the password for a repository that hosts a Control Center:</p> <ol> <li> <p>Log on to the Control Center as the repository owner.</p> </li> <li> <p>Stop the Control Center by running the script <code><span class="codeinlineitalic">OWB_HOME</span></code><code>/owb/rtp/sql/stop_service.sql</code>.</p> <p>The script returns values of Unavailable or Available to indicate the status of Control Center.</p> </li> <li> <p>Change the password by running the script OWB_HOME<code>/owb/rtp/sql/set_repository_password.sql</code>.</p> <p>When prompted, specify the new password.</p> </li> <li> <p>Restart the Control Center by running the script</p> <p><code>OWB_ORACLE_HOME/owb/rtp/sql/start_service.sql.</code></p> </li> </ol> </div> <!-- class="sect2" --> <a id="CHDIGBAF" name="CHDIGBAF"></a><a id="WBINS16306" name="WBINS16306"></a> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h3 class="sect2">Encrypting Passwords to Warehouse Builder Locations</h3> <p><a id="sthref732" name="sthref732"></a><a id="sthref733" name="sthref733"></a>Warehouse Builder users create a location for each database, file server, or application that want to extract or load metadata and data. Locations include the user name and password used to access these various sources and targets. Warehouse Builder can store these passwords in the repository in an encrypted manner. The switch that turns on and off the password storage is Persist Location Password in Metadata, which is located in the Design Center under <span class="bold">Tools, Preferences, Security Parameters.</span></p> <p>The default encryption algorithm utilized is <code>DES56C</code> that is valid for Oracle Database 9i and subsequent versions. If the repository Database is version 10g or later, then you can set the encryption algorithm to <code>3DES168</code> or any other more powerful encryption by changing <code><span class="codeinlineitalic">OWB_HOME</span></code><code>/owb/bin/admin/jdbcdriver.properties</code> file and specifying the following encryption parameters:</p> <pre xml:space="preserve" class="oac_no_warn">encryption_client; default = REQUIRED encryption_types_client; default = ( DES56C ) crypto_checksum_client; default = REQUESTED crypto_checksum_types_client; default = ( MD5 ) </pre> <p>For the protocol to work, set the server to the default <code>ACCEPTED</code> mode. For more information, see <a class="olink JJDBC" href="http://www.oracle.com/pls/db112/lookup?id=JJDBC"><span class="italic">Oracle Database JDBC Developer's Guide</span></a>. <a id="sthref734" name="sthref734"></a><a id="sthref735" name="sthref735"></a></p> </div> <!-- class="sect2" --></div> <!-- class="sect1" --></div> <!-- class="ind" --> <div class="footer"> <hr /> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="33%" /> <col width="*" /> <col width="33%" /> <tr> <td align="left"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="98"> <tr> <td align="center" valign="top"><a href="change_mgmt.htm"><img width="24" height="24" src="../../dcommon/gifs/leftnav.gif" alt="Go to previous page" /><br /> <span class="icon">Previous</span></a></td> <td align="center" valign="top"><a href="appendix_troubleshooting.htm"><img width="24" height="24" src="../../dcommon/gifs/rightnav.gif" alt="Go to next page" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </td> <td style="font-size: 90%" align="center" class="copyrightlogo"><img width="144" height="18" src="../../dcommon/gifs/oracle.gif" alt="Oracle" /><br /> Copyright © 2000, 2009, Oracle and/or its affiliates. All rights reserved.<br /> <a href="../../dcommon/html/cpyr.htm">Legal Notices</a></td> <td align="right"> <table class="icons oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="245"> <tr> <td align="center" valign="top"><a href="../../index.htm"><img width="24" height="24" src="../../dcommon/gifs/doclib.gif" alt="Go to Documentation Home" /><br /> <span class="icon">Home</span></a></td> <td align="center" valign="top"><a href="../../nav/portal_booklist.htm"><img width="24" height="24" src="../../dcommon/gifs/booklist.gif" alt="Go to Book List" /><br /> <span class="icon">Book List</span></a></td> <td align="center" valign="top"><a href="toc.htm"><img width="24" height="24" src="../../dcommon/gifs/toc.gif" alt="Go to Table of Contents" /><br /> <span class="icon">Contents</span></a></td> <td align="center" valign="top"><a href="index.htm"><img width="24" height="24" src="../../dcommon/gifs/index.gif" alt="Go to Index" /><br /> <span class="icon">Index</span></a></td> <td align="center" valign="top"><a href="../../dcommon/html/feedback.htm"><img width="24" height="24" src="../../dcommon/gifs/feedbck2.gif" alt="Go to Feedback page" /><br /> <span class="icon">Contact Us</span></a></td> </tr> </table> </td> </tr> </table> </div> <noscript> <p>Scripting on this page enhances content navigation, but does not change the content in any way.</p> </noscript> </body> </html>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de