RE: EM 12c best practise!!

Two answers on this:

1.        When you delete an administrator, you are given the options to either:

a.       Delete the administrator’s objects -  This will delete the administrator and all his or her associated Job Types, Jobs, Corrective Actions, Report Definitions, Reports and Templates. Blackouts will not be deleted.

b.      Reassign their objects - This will assign the administrator's objects to another administrator. The credentials belonging to the administrator will be deleted from the repository before any reassignment takes place.  Let me come back to this one below.

2.       For the specific issue of jobs, there are new emcli verbs in the 12.1.0.4 release that was announced this week that allows you (finally!) to export and import job definitions.

Point b above – the wording here is from the UI (straight cut and paste) and to me isn’t particularly clear.  I just created a user in my 12.1.0.4 environment called TEST, and used it to create a named credential (also cleverly called TEST) that I then set as a preferred credential for a host.  When I deleted this TEST user, I chose option b above and said reassign the objects to my own user ID.  When I log in as me, I can see a named credential called TEST which does exactly what the old named credential TEST does, but is now owned by my user ID.  If I look at the recent activities tab for that named credential it says “Credential reassigned as user TEST deleted.”

The end result – provided you say reassign the objects to another administrator, your problem is solved.

Pete

Pete Sharman
Principal Product Manager
Enterprise Manager Product Suite
33 Benson Crescent CALWELL ACT 2905 AUSTRALIA

Phone: HYPERLINK "tel:+61262924095"+61262924095 | | Fax: HYPERLINK "fax:+61262925183"+61262925183 | | Mobile: +61414443449 

  _____  

"Controlling developers is like herding cats."

Kevin Loney, Oracle DBA Handbook

"Oh no, it's not, it's much harder than that!"

Bruce Pihlamae, long term Oracle DBA

  _____  

From: edwin devadanam [mailto:dmarc-noreply_at_freelists.org] Sent: Friday, June 6, 2014 4:19 PM
To: dmarc-noreply_at_freelists.org; Peter Sharman; ORACLE-L Subject: Re: EM 12c best practise!!

as per 

http://www.oracle.com/technetwork/oem/framework-infra/wp-em12c-security-best-practicesv2-1493383.pdf

Do not set preferred credentials for group/common accounts such as 

SYSMAN. If preferred credentials are set for common accounts, then the accountability of the use of these credentials is lost. 

How do we create a global user/one user not to fail for above as said?

My issue is if user A creates Job and leaves organisation when user B deletes user A..all jobs of user A gets onto user B and credentials are lost

Any advice will be appreciated...

thanks,

Edwin.K

On Thursday, June 5, 2014 12:25 PM, edwin devadanam <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> wrote:

thanks Faud...

Regards,

Edwin.K

On Thursday, June 5, 2014 12:36 AM, Peter Sharman <HYPERLINK "mailto:pete.sharman_at_oracle.com"pete.sharman_at_oracle.com> wrote:

Yup, nailed it in one – as I would expect from Fuad. J

Pete

Pete Sharman
Principal Product Manager
Enterprise Manager Product Suite
33 Benson Crescent CALWELL ACT 2905 AUSTRALIA

Phone: +61262924095 | | Fax: +61262925183 | | Mobile: +61414443449 

  _____  

"Controlling developers is like herding cats."

Kevin Loney, Oracle DBA Handbook

"Oh no, it's not, it's much harder than that!"

Bruce Pihlamae, long term Oracle DBA

  _____  

From: Fuad Arshad [mailto:dmarc-noreply_at_freelists.org] Sent: Wednesday, June 4, 2014 9:19 PM
To: HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org Cc: ORACLE-L
Subject: Re: EM 12c best practise!!

named credentials is the way to go. easy to setup grant it to the user and no one knows the password 

EM 12cr4   enhances these options by adding  ssh keys as credentials as well 

Fuad

On Jun 4, 2014, at 7:10, "edwin devadanam" <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> (Redacted sender "HYPERLINK "mailto:edwin_kodamala_at_yahoo.com"edwin_kodamala_at_yahoo.com" for DMARC) wrote:

Thanks Faud..already i have gone through this.

am still reading EM docs before i can put in few things in place for my Env.

also am interested how other guys in thier env are performing things in terms of global id or something which is secured...

thanks,

Edwin.K

On Wednesday, June 4, 2014 3:49 PM, Fuad Arshad <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> wrote:

you need to look at named credentials for this 

the wp below can help 

http://www.oracle.com/technetwork/oem/framework-infra/wp-em12c-security-best-practicesv2-1493383.pdf#page16

Fuad

On Jun 4, 2014, at 5:33, "edwin devadanam" <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> (Redacted sender "HYPERLINK "mailto:edwin_kodamala_at_yahoo.com"edwin_kodamala_at_yahoo.com" for DMARC) wrote:

Hi guru's,

I am trying to explore and understand more on EM 12c best practices to be followed.

I am looking for more into security setup and creating a global ID.

As am reading through EM12c documentation,i need some advice on security setup.

Is it possible to setup "global id/global role" to perform Job Scheduling(HOST/SQL script..etc) for multiple servers?

example for 10 servers with 10 different O/S and DB user and my requirement would like what is the best way to perform EM jobs without revealing credentials to anyone?

thanks,

Edwin.K

we have mupltiple 11g oracle database,OBIEE,Oracle Ebiz Suite and Oracle Portal on redhat linux 6/HP-ux servers

--
http://www.freelists.org/webpage/oracle-l