In order
for multiple support vendors to be able to use one implementation of OEM
without exposing access to environments they are not responsible for, it is
necessary to restrict Super Administrator access and create admin users with
specific access to the targets as required.
So the plan is to have 1 or 2 Super Administrators that are owned by the client but the vendors don't have access. The client then creates separate users for the vendors and restricts access that way.
Super Administrator
There
should be one or 2 Super Administrators who can control OEM access. These users
will create the Groups, allocate targets to the Groups, create users and allow
access to the targets. It is recommended that the SYSMAN user is maintained,
and an additional Super Administrator created.
Create groups
The easiest
way to manage access is to create Groups within OEM and allocate targets to
that group. This allows for fine grained access to those targets.
Click on
‘Create’ and ‘’Group’ and give the Group
a relevant name
Ensure
‘Privilege Propagation – Enabled’ is checked.
Click on
‘Add’ and add the targets to the group as appropriate, then click ‘Select’
When all
are added, click on ‘OK’ (top right of the screen)
Create a User
Go to
‘Setup / Security / Administrators’
Click on
‘Create’
Enter a
username, password and email address, and other information as required
Click
‘Next’, then ‘Next at the ‘Roles’ page:
At the next
page, scroll down to the ‘Target Privileges’ section and click on ‘Add’
Select
‘Group’ from the ‘Target Type’ drop down
Select the
group created earlier and click ‘Select’
Click on
the pencil icon under ‘Manage Target Privilege Grants’
Check the
box next to ‘Group Administration’ and click ‘Continue’
This gives
the user full control over all targets in the group, but no access to other
targets not in the group.
Click
‘Review’ and then ‘Finish’
Log out of
OEM and back in as the new user
Click ‘Save
and Continue, and choose a starting screen (usually Databases)
The user
can now see and manage all the targets in the group, but cannot access others.
Data Guard administration is not enabled through this for some reason, neither is the ability to connect to the databases.
To enable access to the Data Guard Administration screens:
Once the user has been created, select ‘Setup / Security / Administrators’
Click on the button next to the user and then ‘Edit’
Click through to the 4th page and scroll down, then click on the pencil icon alongside ‘Data Guard’
Check the box, then click ‘Continue’
Click
‘Next’ then ‘Finish’
Log on to
OEM with the user and confirm that Data Guard Access is allowed – the menu
items will not be greyed out
However, if you click on “Data Guard Administration” an
error will be shown
You need to log back in as an Admin and allow the access.
Log back in as an admin and select ‘Setup / Secuirty / Administrators’ as
before, check the box next to the user and click ‘Edit’.
Click ‘Next’ to get to Page 4, then scroll down to ‘Named
Credential’ and click on the pencil icon alongside it
Check the box, click ‘Continue’
Click ‘Review’ and then ‘Finish’.
Log back in as the user and now you should be able to enter
login details
All done.
