In Oracle Enterprise Manager 12c (aka OEM) there is such a great facility called “Named Credentials”. This allows someone to create a pair of username/password which can be used afterwards without knowing the actual password. Named credentials can be defined on target (i.e. single database or host) or on global level (available on all targets of specified type).
This already works great for a single user (no need to remember all the different passwords, just key them in once and give them a useful name), but how about a bigger environment. If a password change is executed all administrators have to update their stored Named Credentials. If one is missed, his/her jobs will fail and irritation level will increase.
It would be nice to have 1 user who is responsible for setting up and maintaining the Named Credential, and all other admins just consuming them when needed. This functionality is out of the box available in the OEM console, so whats the worry…? No worries, but now we upscale a bit.
Imagine we have several administrators who only consume the Named Credentials. If a new colleague arrives, he has to be granted use ‘View’ rights on all (maybe a lot) Named Credentials. Same applies if a new Named Credential is added to the pool. It has to be granted to all admins. Or the other way around: the current admin leaves his job: all change rights on all Named Credentials have to be changed…. This calls for the usage of a group functionality.
This functionality is not available in the GUI of OEM, neither explained in the manuals (at least I couldn’t find it).
Luckely we have EMCLI (Enterprise Manager Command Line Interface), giving a lot more functionality then the GUI does. And since it is command line, we can also script against it. Installation instructions for EMCLI can be found in your OEM instance: Navigate to Setup > Command Line Interface…
One small downside on this construction is the fact that the admins can not be ‘Super Administrator’ anymore, the will have be ‘demoted’ to ‘Admin’.
What we will do is:
- Create required accounts and roles in OEM
- Create a user who will be owner of all named credentials (it’s pure administrative)
- List all named credentials
- Grant access to the named credentials to the roles
- Grant the appropriate roles to the administrators
Login in the OEM console using an account with super administrator privileges (i.e. sysman).
- Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_SEC_ADMIN”, Click “Review” and then “Finish”
- Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_SEC_USER”, Click “Review” and then “Finish”
- Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_PUBLIC”, click “Next”, grant all privileges you might need and continue until “Finish”
- Navigate to Setup > Security > Administrators and click “Create”. Give this user the name “Credential_owner”, select “Superadministrator”, click “Review” and then “Finish”
Logout from OEM console, and login again using the newly created account Credential_owner
- Navigate to Setup > Security > Named Credentials
- Create a new named credential
Next step is to start emcli and connect to your OEM instance:
C:\emcli>emcli setup -url=https://xxxxxxxx.xxxxxx.com:7802/em -autologin -username=Credential_owner
Oracle Enterprise Manager Cloud Control 12c Release 2.
Copyright (c) 1996, 2012 Oracle Corporation and/or its affiliates. All rights reserved.Enter password
Emcli setup successful
C:\emcli>
Next step is to list all named credentials this user has access on:
C:\emcli> emcli list_named_credentials
For each named credential a line will be written with Credential Name, Credential Owner and some target info.
To grant read access to all users who are in the group “MY_SEC_USER” execute the following statement:
C:\emcli>emcli grant_privs -name=”MY_SEC_USER” -privilege=”GET_CREDENTIAL;CRED_NAME=<credential_name>:CRED_OWNER=Credential owner”
To grant full access to the users in the group “My_SEC_ADMIN”you can use the following:
C:\emcli>emcli grant_privs -name=”MY_SEC_USER” -privilege=”FULL_CREDENTIAL;CRED_NAME=<credential_name>:CRED_OWNER=Credential owner”
Of course there is a lot more that can be achieved on this subject. This post is just to get you started…
Is there a possibly to modify multiple privileges (wildcard) with emcli grant_privs in one command?
Using a wildcard seems not te be working, although you can specify more then one privilige in a command:
emcli grant_privs
-name="user1"
-privilege="USE_ANY_BEACON"
-privilege="FULL_JOB;923470234ABCDFE23018494753091111"
-privilege="FULL_TARGET;TARGET_NAME=host1.example.com:TARGET_TYPE=host"
-privilege="FULL_CREDENTIAL;CRED_NAME=cred1:CRED_OWNER=user2"
-privilege="FULL_CREDENTIAL;CRED_GUID=123451234ABCDFE23018494753092222"
Is the ability to grant to a private role possible in the GUI or only via emcli ? I cannot seem to get the private role to list when I have “normal” users wanting to share creds using the UI. I would rather that they didnt know about emcli !
Hi,
I’ve tried this command to add this to a role and it does not work as you stated. Can you confirm ?
oracle@chrbl274@oms12c:/export/home/oracle> emcli grant_privs -name=”SR_ENG_ROLE” -privilege=”GET_CREDENTIAL;CRED_NAME=ORACLE_C401:CRED_OWNER=SR_ENTERPRISE”
Error: Invalid privilege: GET_CREDENTIAL privilege cannot be granted to a role