Creating adapter user account
You must create a user account for the adapter on the managed resource. Provide the account information when creating application for oracle on IBM® Security Verify.
The accounts must be able to remotely connect to the Oracle Database server and must have sufficient privileges to administer the Oracle Database users. Table1 lists the required privileges that the user account must have to administer the Oracle Database users.
Privilege | Description |
---|---|
CREATE USER | To create an Oracle database user. |
GRANT ANY ROLE | To grant or remove roles to the Oracle database user. |
SELECT ANY TABLE | To perform the reconciliation operation and retrieve the following information from the
Oracle database:
|
GRANT ANY PRIVILEGE | To grant or remove privileges to the Oracle database user. |
SELECT ANY DICTIONARY | The Using this system privilege, users can access all the objects in the SYS schema, including tables that are created in that schema. You must grant
the required privileges to the individual users based on the requirements. The
|
SELECT ON SYS.USER$ |
For Oracle 12c support (non-container database) to access the date when the password was last
changed or the To retrieve Last password change date, grant this privilege to the user. |
WM_ADMIN_ROLE or SELECT_CATALOG_ROLE | To access DBA_WM_SYS_PRIVS view. |
EXECUTE permission on DBMS_LOCK and ADMINISTER_RESOURCE_MANAGER system privilege | To execute stored procedures that set the consumer group. |
By default, a user is granted access on objects within the schema of the user. The ANY keyword grants access to users on all objects of that type in all schemas. For example,
- To grant a system privilege, you must either have system privileges that are granted with ADMIN OPTION or GRANT ANY PRIVILEGE.
- To grant an object privilege, one of the following conditions must be met:
- You must be an object owner.
- The object owner must grant you the object privileges with the GRANT OPTION.
- The object owner must grant you the GRANT ANY OBJECT PRIVILEGE system privilege.
If you do not use the ANY keyword, you must either grant privileges, roles, tables, and so on, to a user account or the user account must be an object owner. When a new privilege, role, or a table is added in the schema, you must update the permissions for the user account.
To reduce security risks, do not use the ANY keyword to grant privileges to user accounts.