[ Pobierz całość w formacie PDF ]
.Thus, at any givendatabase, there cannot be both a local and a global user SCOTT.If there is aglobal user SCOTT at the Oracle Security Server, and a local user SCOTT on adatabase that is NOT designated as global, these are two separate users.IfSCOTT tries to login to the database, it will be handled as a purely local matter,and the Oracle Security Server will not be involved for authentication.SCOTTwill be logged on as a global user, if and only if, there is a global user SCOTTat the Oracle Security Server and a global user SCOTT in the database.Authenticating Global UsersTo log into a database as a global user SCOTT, SCOTT must authenticatehimself directly with the Oracle Security Server.SCOTT provides thedistinguished name to a tool provided by Oracle Security Server, whichreturns a certificate (and a private key) from the Oracle Security Server.SCOTT can log into any database using "CONNECT /" if, and only if," the database defined user SCOTT as IDENTIFIED GLOBALLY" the database is registered in the same Oracle Security Server4-4 Oracle8 Server Distributed Database Systems Global RolesInstead of granting roles to each user in each database, global roles allow youto assign authorization information to (global) users across multipledatabases.When a global user logs into a database, the global roles assignedto that user will be automatically available.Although global roles are assignedto global users in the Oracle Security Server, the privileges associated witheach global role are defined in each Oracle Server.Therefore, the privilegesassociated with a specific global role can differ between databases based on theprivileges assigned to the global role in each database.Creating Global RolesLike global users, global roles must be" defined in the Oracle Security Server" created in each databaseDefining Global Roles in the Oracle Security ServerYou define global roles in the Oracle Security Server using the Oracle SecurityServer Manager.In the Oracle Security Server Manager, global roles are alsoknown as Server Roles.Please see the Oracle Security Server Guide for moreinformation on how to define global users in using the Oracle Security ServerManager.Creating Global Roles in the DatabaseYou must create global roles in each local Oracle Server using the SQLstatement:CREATE ROLE.IDENTIFIED GLOBALLY;Interaction between local roles and global roles is similar to that between localand global users.Even if a local role has a name identical to an authorizationlisted at the central authority, if it has not been defined locally as a global role,it will not be interpreted as such.Granting Privileges to Global RolesIn each database, you can grant system privileges, object privileges, and localroles to a global role using the GRANT statement.You cannot grant externalroles to global roles.You cannot grant global roles to global roles in thedatabase.Using the Oracle Security Server 4-5 Global roles can only be "assigned" to enterprise roles in the Oracle SecurityServer.See also the Oracle8 Server Reference Manual for information on grantingprivileges to roles, granting roles to roles, and granting roles to users.Assigning Global Roles to Global UsersYou must assign global roles to global users in the Oracle Security Server.Also, you can not assign global roles to local users or local roles.See the OracleSecurity Server Guide for information on how to assign global roles to globalusers.Enterprise RolesThe Oracle Security Server Manager also allows the security administrator tocreate enterprise roles.Just as global roles are a collection of privileges,enterprise roles are a collection of global roles.You can use enterprise roles to grant a global user access to a selected group ofglobal roles (and, therefore, the privileges they comprise) across a system ofdistributed databases.While global users and global roles must be definedboth at the local database and within the Oracle Security Server, enterpriseroles are defined only within the Oracle Security Server.See the Oracle Security Server Guide for detailed information about definingenterprise roles within the Oracle Security Server.Trusting other DatabasesBy default, each database defined in the Oracle Security Server trusts the otherdatabases defined in the Oracle Security Server.However, you can specify thateach database trust only some databases, or you can specify that it not trustany other databases.If a database does not trust another database, database links that use theOracle Security Server (that is, current user database links) cannot be used toestablish a connection between the two databases.4-6 Oracle8 Server Distributed Database Systems Trust Between more than Two DatabasesTrust between databases is not transitive [ Pobierz całość w formacie PDF ]