Skip to Main Content
  • Questions

  • Does Centrally Managed Users actually "CREATE" the database user account?

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Kyle.

Asked: January 11, 2024 - 11:41 pm UTC

Last updated: January 17, 2024 - 10:42 am UTC

Version: 19.16.0.0

Viewed 1000+ times

You Asked

I just viewed Russ Lowenthal's youtube video ( https://www.youtube.com/watch?v=FU8UGLs8QGU ) regarding "Authenticate Oracle Database users with MS Active Directory." In the last and summarizing slide, he made the following statement:

Once CMU is configured, ALL user management can be done in Active Directory [including]
-Create New Users
.
.
.
etc

Yet in all the documentation, and his example, it sounds like you cannot just create a user in AD. It seems you must also go to the database (as a DBA) and run something like "CREATE USER JSMITH IDENTIFIED EXTERNALLY....." before the user can actually connect to the database. In other words, for direct (not shared) accounts, CMU will NOT create the account in the database, that is still a manual step by the DBA beforehand. Do I understand that correctly? In which case his summarizing statement would be an overstatement...?

Thank you so much!

and Chris said...

I reached out to Russ to reply, he said:

What is being created in the database is a schema, not a user. If the users in Active Directory don’t need a private schema, then you could map all users to a single shared schema in the database by linking that schema to an Active Directory group.

Also, the syntax would be CREATE USER jsmith IDENTIFIED GLOBALLY;

Globally would be via LDAP (Active Directory), Externally would be non-LDAP but authenticated via an external means like Kerberos or AzureAD OAuth2 tokens.

Rating

  (1 rating)

Comments

Thank you!

Kyle, January 16, 2024 - 7:34 pm UTC

Thank you Chris. I appreciate you reaching out to Russ directly and clarifying that. Our VPD architecture now, is such that each user much have his own account in the DB.

I truly appreciate your time! Well done!

Kyle
Chris Saxon
January 17, 2024 - 10:42 am UTC

You're welcome
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.