RE: EM 12c best practise!!
Date: Fri, 6 Jun 2014 09:56:46 -0700 (PDT)
Message-ID: <8e3b84f8-d012-43cf-b8cd-5114276f04ca_at_default>
Edwin
Two answers on this:
1. When you delete an administrator, you are given the options to either:
a. Delete the administrator’s objects - This will delete the administrator and all his or her associated Job Types, Jobs, Corrective Actions, Report Definitions, Reports and Templates. Blackouts will not be deleted.
b. Reassign their objects - This will assign the administrator's objects to another administrator. The credentials belonging to the administrator will be deleted from the repository before any reassignment takes place. Let me come back to this one below.
2. For the specific issue of jobs, there are new emcli verbs in the 12.1.0.4 release that was announced this week that allows you (finally!) to export and import job definitions.
Point b above – the wording here is from the UI (straight cut and paste) and to me isn’t particularly clear. I just created a user in my 12.1.0.4 environment called TEST, and used it to create a named credential (also cleverly called TEST) that I then set as a preferred credential for a host. When I deleted this TEST user, I chose option b above and said reassign the objects to my own user ID. When I log in as me, I can see a named credential called TEST which does exactly what the old named credential TEST does, but is now owned by my user ID. If I look at the recent activities tab for that named credential it says “Credential reassigned as user TEST deleted.”
The end result – provided you say reassign the objects to another administrator, your problem is solved.
Pete
Pete Sharman
Principal Product Manager
Enterprise Manager Product Suite
33 Benson Crescent CALWELL ACT 2905 AUSTRALIA
Phone: HYPERLINK "tel:+61262924095"+61262924095 | | Fax: HYPERLINK "fax:+61262925183"+61262925183 | | Mobile: +61414443449
_____
"Controlling developers is like herding cats."
Kevin Loney, Oracle DBA Handbook
"Oh no, it's not, it's much harder than that!"
Bruce Pihlamae, long term Oracle DBA
_____
From: edwin devadanam [mailto:dmarc-noreply_at_freelists.org]
Sent: Friday, June 6, 2014 4:19 PM
To: dmarc-noreply_at_freelists.org; Peter Sharman; ORACLE-L
Subject: Re: EM 12c best practise!!
as per
http://www.oracle.com/technetwork/oem/framework-infra/wp-em12c-security-best-practicesv2-1493383.pdf
Do not set preferred credentials for group/common accounts such as
SYSMAN. If preferred credentials are set for common accounts, then the accountability of the use of these credentials is lost.
How do we create a global user/one user not to fail for above as said?
My issue is if user A creates Job and leaves organisation when user B deletes user A..all jobs of user A gets onto user B and credentials are lost
Any advice will be appreciated...
thanks,
Edwin.K
On Thursday, June 5, 2014 12:25 PM, edwin devadanam <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> wrote:
thanks Faud...
Regards,
Edwin.K
On Thursday, June 5, 2014 12:36 AM, Peter Sharman <HYPERLINK "mailto:pete.sharman_at_oracle.com"pete.sharman_at_oracle.com> wrote:
Yup, nailed it in one – as I would expect from Fuad. J
Pete
Pete Sharman
Principal Product Manager
Enterprise Manager Product Suite
33 Benson Crescent CALWELL ACT 2905 AUSTRALIA
Phone: +61262924095 | | Fax: +61262925183 | | Mobile: +61414443449
_____
"Controlling developers is like herding cats."
Kevin Loney, Oracle DBA Handbook
"Oh no, it's not, it's much harder than that!"
Bruce Pihlamae, long term Oracle DBA
_____
From: Fuad Arshad [mailto:dmarc-noreply_at_freelists.org]
Sent: Wednesday, June 4, 2014 9:19 PM
To: HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org
Cc: ORACLE-L
Subject: Re: EM 12c best practise!!
named credentials is the way to go. easy to setup grant it to the user and no one knows the password
EM 12cr4 enhances these options by adding ssh keys as credentials as well
Fuad
On Jun 4, 2014, at 7:10, "edwin devadanam" <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> (Redacted sender "HYPERLINK "mailto:edwin_kodamala_at_yahoo.com"edwin_kodamala_at_yahoo.com" for DMARC) wrote:
Thanks Faud..already i have gone through this.
am still reading EM docs before i can put in few things in place for my Env.
also am interested how other guys in thier env are performing things in terms of global id or something which is secured...
thanks,
Edwin.K
On Wednesday, June 4, 2014 3:49 PM, Fuad Arshad <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> wrote:
you need to look at named credentials for this
the wp below can help
Fuad
On Jun 4, 2014, at 5:33, "edwin devadanam" <HYPERLINK "mailto:dmarc-noreply_at_freelists.org"dmarc-noreply_at_freelists.org> (Redacted sender "HYPERLINK "mailto:edwin_kodamala_at_yahoo.com"edwin_kodamala_at_yahoo.com" for DMARC) wrote:
Hi guru's,
I am trying to explore and understand more on EM 12c best practices to be followed.
I am looking for more into security setup and creating a global ID.
As am reading through EM12c documentation,i need some advice on security setup.
Is it possible to setup "global id/global role" to perform Job Scheduling(HOST/SQL script..etc) for multiple servers?
example for 10 servers with 10 different O/S and DB user and my requirement would like what is the best way to perform EM jobs without revealing credentials to anyone?
thanks,
Edwin.K
we have mupltiple 11g oracle database,OBIEE,Oracle Ebiz Suite and Oracle Portal on redhat linux 6/HP-ux servers
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Jun 06 2014 - 18:56:46 CEST