Database privileges which cannot be assigned directly to roles
- Assigning any privilege with “WITH GRANT OPTION”
- INDEX privilege
- REFERENCES privilege.
- SYSDBA
These can be assigned only to users and assigning them to a user in DB and defining proxy for the user worked fine.
We cannot implement SYSDBA privilege for 10g or earlier versions of database through EUS. This feature is introduced in 11g database.
To implement:
1. Add the entry "cn=<sid>,cn=OracleContext,dc=com,GLOBAL_ROLE=SYSDBA" similar to other entries in uniquemember attribute of the enterprise role in OID using ldap commands.
2. Make sure LDAP_DIRECTORY_SYSAUTH parameter is set to YES in the target database where EUS is enabled. This parameter is introduced in 11g and this tells the database to authenticate superuser against directory.
# Present value of the parameter can be found by:
sql>select * from v$parameter where name='LDAP_DIRECTORY_SYSAUTH';
# If the value of this parameter is set to NO, then change the parameter value to YES by running:
sql> alter system set LDAP_DIRECTORY_SYSAUTH='YES' scope=spfile
sql> startup force; (to restart database)
PS: LDAP_DIRECTORY_SYSAUTH is not a dynamic parameter, so alter it through spfile and restart the database.
No comments:
Post a Comment