Oracle Enterprise User Security – A Simple Approach to a Common Problem
Oracle Enterprise User Security (EUS) is a simple solution to many security challenges which customers face today from the compliance perspective. It is also a very simple approach to many complex problems such as identity propagation. EUS offers the capability, built into the Oracle Database to authenticate users connecting to database using the LDAP credentials, and so why it is important? The reason is simple, if you have user base which has access to database you do not want to maintain and manage their credentials, you also like to create an ease of use so same user logon and password is used for many applications including databases, also when time comes to revoke access, you can just revoke access from your corporate directory instead of going to each and every database and user will no longer be able to access the databases. EUS offers a simple approach to connect to variety of directories. A common example is that most of the corporations today rely on Active Directory which acts as a centralized corporate directory. You can simple use EUS option to integrate and register your Oracle Databases against Active Directory for authentication. Though database option but EUS relies on Oracle Identity & Access Management component primarily on Directories, either Oracle Virtual Directory, Oracle Unified Directory or Oracle Internet Directory.
One interesting use-case which we solved with EUS was the identity propagation from tier to tier, I like to mention here, one of the application was protected by Oracle Access Manager and so authentication is handled at Web Application Layer, once the authentication is successful you can use common identity propagation methods to pass the identity context to your Application Server (for example: WebLogic) from Web Server and application will execute in the context of new Identity. However when this application tries to access backend components such as EJBs, these EJBs were required to connect to databases and execute queries within the same identity context, at this point usage of EUS was greatly helpful as we could pass the identity all the way to EJB but when EJB made a call to the database, it made a call using the Oracle Driver which was setup to pass on authenticated identity context, and then EUS did the rest of the work to authenticate that user and establish same identity context within the database and VPD queries were executed (Virtual Private Databases) using that context solving the problem of identity propagation from one tier to next.
The following thoughts, intentions, strategies and/or solutions are those of the blog authors and do not represent the position of anyone other than the authors.