Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

Centrally Managed Users (CMU)

Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD.

Benefits of CMU

With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privileges and roles above what their login account (exclusive or shared) is granted. With centrally managed users, users can be authenticated with passwords, and Kerberos and PKI certificates.

Implement Role-Based Access Control (RBAC) directly with Active Directory. 
Follow the below 3 steps you to easily implement RBAC.

(1) Create a new Group in Active Directory
(2) Assign permissions to this Group.
(3) Add user to the Group. 
(Note: you don't assign permissions to individual users. Instead you assign permissions to the AD Group. You would assign permissions to the Group created in Step 2)

This is in essence RBAC or Role-Based Access Control. This not only simplifies administration but also minimizes errors while assigning permissions to users, thereby enhancing security as well. Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. Roles in your organization should map to the users' job function and duties. Hence with RBAC you can ensure that employees are only allowed to access the information/systems necessary to effectively perform their job duties. With RBAC you can implement security by restricting authorized users access to IT and Information systems.

With CMU feature there is no need for complex additional tiers such as Oracle Unified Directory (OUD)/Enterprise User Security (EUS) or a third-party password synchronization tool. Oracle Database can authenticate and authorize Microsoft Active Directory users with the database directly without intermediate directories or Oracle Enterprise User Security.

Note: The minimum version requirement for Active Directory server operating system is Microsoft Windows Server 2008 R2.
Note on licensing: CMU is an Enterprise Edition base feature.

CMU enables Oracle DB to directly authenticate/integrate with AD

This integration (as shown above) provided by CMU enables organizations to use Active Directory to centrally manage users and roles in multiple Oracle databases with a single directory along with other Information Technology services. Active Directory users can authenticate to the Oracle database by using credentials that are stored in Active Directory. Active Directory users can also be associated with database users (schemas) and roles by using Active Directory groups. Microsoft Active Directory users can be mapped to exclusive or shared Oracle Database users (schemas), and be associated with database roles through their group membership in the directory. Active Directory account policies such as password expiration time and lockout after a specified number of failed login attempts are honored by the Oracle Database when users login.

Before Oracle Database 18c release 1 (18.1), database user authentication and authorization could be integrated with Active Directory by configuring Oracle Enterprise User Security and installing and configuring Oracle Internet Directory (or Oracle Universal Directory).
Authentication to Oracle Database prior to release 18c

This architecture (shown above) is still available and will continue to be used by users who must use the Oracle enterprise domain and current user database link between trusted databases, complex enterprise roles, and having a single place for auditing database access privileges and roles.

The majority of organizations do not have these complex requirements. Instead, they can use centrally managed users (CMUs) with Active Directory. This integration is designed for organizations who prefer to use Active Directory as their centralized identity management solution. Note: Oracle Net Naming Services continues to work as it did before with directory services.

The Oracle Database-Microsoft Active Directory integration supports three common authentication methods. These authentication methods are as follows:
(1) Password authentication
(2) Kerberos authentication
(3) Public key infrastructure (PKI) authentication (certificate-based authentication)

Organizations can use Kerberos, PKI, or password authentication with CMU with Active Directory. Use of CMU with Active Directory is backward compatible with currently supported Oracle Database clients. This means that LDAP bind operations are not used for password authentication and you will need to add an Oracle filter to Active Directory along with an extension to the Active Directory schema to store password verifiers. Organizations using Kerberos or PKI will not need to add the filter or extend Active Directory schema.

The Oracle Database-Active Directory integration is particularly beneficial for the following types of users:
(a) Users who are currently using strong authentication such as Kerberos or Public Key Infrastructure (PKI). These users already use a centralized identity management system
(b) Users who currently use Oracle Enterprise User Security, Oracle Internet Directory, Oracle Unified Directory, Oracle Virtual Directory, and need to integrate with Active Directory.

References


Comments

  1. Hi, I really enjoyed reading the blog and found it very informative and helpful.
    You can check out Oracle cloud implementation and management services on Tangenz Corp.

    ReplyDelete

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

SOAPUI - import certificate

Session Timeout in Oracle Access Manager