Enterprise Manager (EM)
Enterprise Manager (EM) is a graphical management tool that provides centralized capabilities of managing Oracle databases and servers. In recent releases, EM has become web-based and we can manage our properties simply through a browser, no matter where we are.
The role EM_EXPRESS_BASIC is one of predefined roles in Oracle database, who provides a bunch of system and object privileges required to use EM properly.
Comparing to EM_EXPRESS_ALL, EM_EXPRESS_BASIC has limited privileges to operate EM and is usually used for monitoring properties rather than managing.
To grant the role to an user who wants to monitor the properties via EM, we only need a granting like this:
SQL> grant em_express_basic to op;
The grantee can also be a role. In this case, we granted the role to operators who are required to monitor database server's performance day and night.
Another example of granting EM_EXPRESS_BASIC to an user can be found in the post: How to Enable EM express.
Here we list privileges in EM_EXPRESS_BASIC by the following categories.
We use the following SQL statement to check the roles in EM_EXPRESS_BASIC.
SQL> set pagesize 1000;
SQL> select granted_role from dba_role_privs where grantee = 'EM_EXPRESS_BASIC' order by 1;
There's only 1 role granted to EM_EXPRESS_BASIC.
As we can see, EM_EXPRESS_BASIC heavily depends on SELECT_CATALOG_ROLE role.
We use the following SQL statement to check the system privileges in EM_EXPRESS_BASIC.
SQL> select privilege from dba_sys_privs where grantee = 'EM_EXPRESS_BASIC' order by 1;
There're 2 system privileges granted to EM_EXPRESS_BASIC.
- CREATE SESSION
- EM EXPRESS CONNECT
We use the following SQL statement to check the object privileges in EM_EXPRESS_BASIC.
SQL> select privilege || ' on ' || owner || '.' || table_name privilege from dba_tab_privs where grantee = 'EM_EXPRESS_BASIC' order by owner, table_name, privilege;
There're 3 object privileges granted to EM_EXPRESS_BASIC.
- EXECUTE on SYS.DBMS_PERF
- EXECUTE on SYS.PRVTEMX_ADMIN
- SELECT on SYS.V_$DIAG_INCIDENT
It seems that EM_EXPRESS_BASIC has few privileges, but in fact, it inherits most of object privileges from SELECT_CATALOG_ROLE.