About User Authentication and Role Authorization Methods

10.3 About User Authentication and Role Authorization Methods

Describes how user login credentials are authenticated and database roles are authorized in Windows domains.

User authentication and role authorization are defined in User Authentication and Role Authorization Defined.

Table 10-1 User Authentication and Role Authorization Defined

Feature	Description	More Information
User authentication	Process by which the database uses the user's Windows login credentials to authenticate the user.	Oracle Database 2 Day DBA
Role authorization	Process of granting an assigned set of roles to authenticated users.	Oracle Database 2 Day DBA

Oracle Database supports user authentication and role authorization in Windows domains. Basic Features of User Authentication and Role Authorization describes these basic features.

Table 10-2 Basic Features of User Authentication and Role Authorization

Feature	Description
Authentication of external users	Users are authenticated by the database using the user's Windows login credentials enabling them to access Oracle Database without being prompted for additional login credentials.
Authorization of external roles	Roles are authorized using Windows local groups. Once an external role is created, you can grant or revoke that role to a database user. Initialization parameter `OS_ROLES` is set to `false` by default. You must set `OS_ROLES` to `true` to authorize external roles.

Topics:

About Using Authentication and Authorization Methods
User Authentication and Role Authorization Methods describes user authentication and role authorization methods to use based on your Oracle Database environment:

10.3.1 About Using Authentication and Authorization Methods

User Authentication and Role Authorization Methods describes user authentication and role authorization methods to use based on your Oracle Database environment:

Table 10-3 User Authentication and Role Authorization Methods

Method	Database Environment
Enterprise users and roles	You have many users connecting to multiple databases. Enterprise users have the same identity across multiple databases. Enterprise users require use of a directory server. Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to multiple enterprise user in the directory. If you do not use enterprise roles, then you must assign database roles manually to each database user. Enterprise roles require use of a directory server.
External users and roles	You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database and do not require use of a directory server. External roles must also be created individually in each database, and do not require use of a directory server. External roles are authorized using group membership of the users in local groups on the system.

Method

Database Environment

Enterprise users and roles

You have many users connecting to multiple databases.

Enterprise users have the same identity across multiple databases. Enterprise users require use of a directory server.

Use enterprise roles in environments where enterprise users assigned to these roles are located in many geographic regions and must access multiple databases. Each enterprise role can be assigned to multiple enterprise user in the directory. If you do not use enterprise roles, then you must assign database roles manually to each database user. Enterprise roles require use of a directory server.

External users and roles

You have a smaller number of users accessing a limited number of databases. External users must be created individually in each database and do not require use of a directory server.

External roles must also be created individually in each database, and do not require use of a directory server. External roles are authorized using group membership of the users in local groups on the system.