Why should I be interested in Enterprise User Security?
Enterprise User Security provides directory users database access. It provides the glue for extending database security features including VPD  and Oracle Label Security to directory users.  This brings increased returns on investment in client server applications by providing 
 i)  centralized database user administration and 
 ii)  centralized database privelege administration

Does centralized user management fit all models of client-server application architecture?
If an application relies on the database's user and privilege management features, it lends itself perfectly for centralized administration without any application code changes. Applications that have their own user and privilege management modules or one or the other, can move to centralized administration in a phased manner. Extending the life of Database Applications (white paper) discusses these models in greater detail.

Can directory users who are configured for Oracle9iAS Portal or Oracle9iAS Single Sign-on authenticate to the database?
Yes. With Oracle 9i R2 database and Oracle9iAS v2 a user entry in the directory created for single sign-on or portal purposes can be configured to authenticate to the Oracle database.

Integration across Oracle platform

How can directory users be configured for database access?
In the current release (Oracle9i Release 2), directory users must manage their database passwords using Enterprise Security Manager or Enterprise Login assistant. You must also ensure that the nick name attribute that is used by the subscriber context is populated in the root Oracle Context. An upcoming release of Oracle Internet Directory will provide the capability that allows the password change using its self-service framework to trigger database password management. This would eliminate restriction #1 listed above. 

Are there any known limitations to configure directory users for 9iAS component provisioning?
From enterprise user security perspective, it is possible to associate multiple user search bases to an Oracle Context. Oracle9iAS has a subscriber model that eliminates the need for providing multiple search base capability. Thus, if you are moving from using the directory for database access alone to provision the directory user for  9iAS components such as Portal and SIngle Sign-On, ensure that there is only one user search base associated with the Oracle Context.

Integration with existing security infrastructure

What are the various authentication mechanisms supported by Enterprise User Security?
There are three popular security frameworks � passwords, PKI and Kerberos.  When introduced in Oracle8i, this feature supported certificate-based authentication (relying on customer�s PKI) for all users.  Password based authentication has been available since Oracle9i. 

We are working on providing Kerberos based authentication for enterprise users in an upcoming release of the database. 

Centralized password management

Where are the user�s database passwords stored? 
The password is stored in a  hashed form in the directory (OID) in the user entry (orclpassword attribute). This is additionally protected by ACLs.

Are the Single Sign-On and database passwords synchronized? 
No. In the current release (Oracle9i Release2), users must use Enterprise Security Manager or Enterprise Login Assistant for managing database passwords. In an upcoming release of the databse, there are plans to provide synchronization of userpassword and orcl password attributes ( the sign sign-on and database passwords respectively). 

Are the Single Sign-On and database passwords synchronized? 
No. In the current release (Oracle9i Release2), users must use Enterprise Security Manager or Enterprise Login Assistant for managing database passwords. In an upcoming release of the databse, there are plans to provide synchronization of userpassword and orcl password attributes ( the sign sign-on and database passwords respectively). 

Do I get single sign on to the database since the passwords are centrally located?
No. However, users and administrators benefit from centralized password management.  That is, administrators and end users manage their credentials at only one location.  Client server applications relying on the database�s user model may now have their users administered centrally. 
PKI and Kerberos models allow single sign-on.

Must I upgrade to Oracle9i  in order to use centralized password management?
Only your database server needs to be upgraded to Oracle9i. Prior versions of Oracle database clients need not be upgraded because the database logon protocol is compatible. 

Does Oracle Internet Directory's password management policies apply to database passwords as well?
Yes, the value constraints of the password management policies can be enforced for the database password attribute. The state constraints must be enforced by the relevant applications.

Centralized privilege management

Can enterprise user�s privileges be managed centrally in the directory?
Yes. Enterprise users can have roles assigned to them in the directory. These roles in the directory, called Enterprise Roles, may contain one or more are �Database Global Roles�.

Migration/Feature Deployment

Our employees have different login names for the different applications (in different databases).  Will they need to go with one login name for all of the databases?
Yes.  This is one of the most common problems resulting from a decentralized user administration. Technology or applications cannot enforce unique identity.  Identity proliferation leads to lower security and higher administration costs.  Administrators must enforce one id per user as a best practice in their organization. This issue must be resolved especially when planning a migration to centralized user management. 

How can I migrate the database users to Oracle Internet Directory?
User Migration Utility, a tool that migrates database users to the directory is available starting in Oracle database 9i Release 2.  The migration is a two-step process that lets you review the migration process before confirming it. It allows you to normalize the identities (DNs) across databases.  So, this is an opportunity to consolidate the multiple user definitions into one user identity in the directory.

Can an enterprise user own any objects in the database?
Yes.  If this is a requirement we recommend that the enterprise user have an exclusive schema.  In this case, the difference between a database local user and an enterprise user is that the latter is managed centrally in the directory. 
If enterprise users are created with exclusive schema, the schema must be created and managed at every database where they must own objects. They can be mapped to a shared-schema if there is no requirement to own objects. In order to eliminate the administrative burden of managing schema, you can map several enterprise users to a �shared� schema.

What is the difference between a �create user Jane identified globally as �DN� � and, �create user App_Guest identified globally as ��  �?
The former is the syntax to create a global user who is authenticated using his/her X509v3 certificate.  The DN in the as clause is the DN in his/her certificate. This user has an exclusive schema in the database. The exclusive schema is associated with the user specified in the as clause. Users may be created in this manner if you are considering using Oracle Advanced Security�s SSL adapter.

The former can also mean that you are creating a directory-based user with an exclusive schema called �Jane�. When Jane logs in, she is looked up in the directory by the DN specified in the as clause to verify if her credentials. Once the password is verified, she is connected to the database in the Jane schema.

The latter is a means of creating and identifying a shared schema called App_Guest in the database. The null as clause indicates that this schema is not associated with any one DN. The Enterprise User Security feature relies on it to map enterprise users to a shared schema.

What is a shared schema?
A shared schema is a database schema that provides a landing pad to the directory users configured to access the database when they request a database connection. For example, a portal user is not known to the database. However, if a portal user sets up the orclpassword verifier and is mapped to the shared schema in the directory, she can connect to the database and perform DML operations on objects in the shared schema or any other schema that she is mapped to.

The immediate benefit is the elimination of schema management across databases for enterprise users.  You can map multiple users to a shared schema in a database.

Do you have to create a shared schema in every database that an enterprise user might access?
Yes. The idea behind a shared schema is to use it as a connection resource with a create session privilege.  A database that allows directory-based users to access its resources must provide a means for these users to hook into the database. 

Using SHARED SCHEMA, you can create one SCHEMA and map several users in the directory to it.  However there are no access control restrictions that can enforced uniquely for every enterprise user within the shared schema.  Therefore it is recommended using shared schema only as a connection resource with only a create session privilege.  Application related objects must be located in an application schema that is different from the shared schema.

Do you recommend creating application objects in the shared schema?
No. All users mapped to a shared schema have access to all the objects and associated object privileges. It is recommended that the application objects must be created in an application specific schema.

Do enterprise users work across database links? 
Yes. Enterprise users work over connected user and current user database links.  In a connected user database link from Database A to Database B, the user�s credentials are forwarded by Database A to the Database B on the user�s behalf. 
In a current user database link, the Database A provides the user�s DN to Database B. Placing the databases in an enterprise domain establishes a trust relationship between them that is checked before the current user database link is allowed to execute. 

How do you audit enterprise users?
In Oracle9i Advanced Security, enterprise users are tracked in the comments column in the AUD$ table.  We are making significant improvements to this feature in an upcoming release of the database.

Can a proxy user be an enterprise user?
Yes. An enterprise user with exclusive schema can be granted proxy capabilities.  Since proxy capability is a powerful feature that allows the proxy user to act on behalf of one or more end users (proxy-ee), we recommend that you do not grant proxy capabilities to a shared schema.

Can VPD and Oracle Label Security policies be applied to enterprise users?
Yes.  The label authorizations in Oracle Label Security must be associated with the schema that the user population uses (i.e., shared schema or exclusive schema).

Integration with 3rd party directories

How can users created in Active Directory authenticate to the database?
There are two pmeans to the end. 
1) In a heterogeneous environment the Directory Integration Platform (DIP) synchronizes the user entries into OID in order to leverage Enterprise User Security features. This allows customers to continue to use their current administrative and user provisioning tools.  More details in the Oracle Internet documentation at http://iasdocs.us.oracle.com/iasdl/90200doc_otn/manage.902/a95192/pt_odip.htm
2) In an all-windows environment, Oracle provides NTS adapter that enables Active Directory users database authentication capabilities as an external user.