7 Setting Up Enterprise Manager for Your Environment

The bigger your enterprise, the bigger the task to manage all the targets in that environment. You can set up Enterprise Manager to work within that environment so that multiple administrators can share the responsibilities of managing multiple targets. This set up includes defining the appropriate levels of access and privileges so administrators can perform their jobs in the most optimum way.

This chapter explains these concepts:

Creating Administrators
Using Privileges
Defining Roles
Organizing Targets as Groups

Creating Administrators

The breadth of management tasks available in Enterprise Manager depends on the privileges and roles assigned to the administrators. Administrator accounts are user accounts that allow administrators to log in to Enterprise Manager and perform management tasks. The privileges and roles assigned to the administrator account determine what the administrator can do within Enterprise Manager.

Super administrator Account

Enterprise Manager is installed with a default superadministrator account called SYSMAN. During the installation, you provide a password for SYSMAN. You use the SYSMAN account for the initial log in to Enterprise Manager. The superadministrator account cannot be deleted nor renamed.

The superadministrator account can create, as well as delete other administrator accounts and set up all administrator credentials. Among other tasks, the superadministrator can:

Create Enterprise Manager privileges and roles
Perform the initial set up of Enterprise Manager, for example, defining e-mail configurations and defining global notifications rules
Add additional targets to Enterprise Manager
Perform any action on any target in the system

Oracle recommends that after installation, the first time you log in to Enterprise Manager as SYMAN, you create a new administrator account for yourself. Oracle does not recommend logging in as superadministrator to conduct daily administration tasks.

Each administrator should have his or her own account that is not a superadministrator account. For example, you could create a new administrator account that would have access to a subset of targets (databases, application servers, hosts) in the environment for which the administrator is primarily responsible.

Administrator Account

An Enterprise Manager administrator account (also known as an administrator) is an account that provides users permission to perform administrative tasks and access administrative information. You can set up each administrator account to have its own:

E-mail address
Notification rules
Set of privileges that determine what it can do in Enterprise Manager, for example, which targets it can access

Oracle recommends that you create an administrator account using the superadministrator account for each administrator on your administrative team. The superadministrator account has a lot of capabilities and it is not a good idea for everyone on the administration team to be logging in and doing work as SYSMAN.

See Also:

"About Administrators and Roles" in the Enterprise Manager online help

Using Privileges

System security is a major concern of any corporation. Security conscious IT departments plan privileges such that each person only has the minimum privileges needed to do his or her job. Also you do not want to perform the tedious task of individually granting access to tens, hundreds, or even thousands of targets to every new member of your organization.

With the Enterprise Manager administrator privileges and roles feature, you can perform this task within seconds, instead of hours.

A privilege is a right to perform management actions within Enterprise Manager such as:

View any target and add any target in the enterprise
Perform operations on a target such as configure credentials for maintenance operations of a target

The following types of privileges are defined by Oracle.

System Privileges allow a user to perform systemwide operations. The systemwide operations include:
- Viewing any target, including all the Management Agents and the Management System pages.
- Adding any target to Enterprise Manager for management.
- Using any Beacon on any monitored host to monitor transactions, URLs, and network components. (See Chapter 3, " Application Performance Management" for additional information about Beacons.)
- Monitoring Enterprise Manager performance.
Target Privileges allow a user to perform operations on a target. The target privileges include:
- Viewing properties and monitoring information about a target.
- Starting up and shutting down a target through the Operator privilege.
- Maintaining the target by patching the software and data.
- Granting all target privileges including deleting a target and configuring credentials for maintenance operations of a target.
- Managing a target group by creating a target in a target group, deleting a target from a target group, and granting privileges to a group. See "Organizing Targets as Groups" for information about target groups.
  
  Note:
  Certain privileges automatically include other privileges. For additional information, see the Enterprise Manager online help.

Defining Roles

Roles are named groups of related privileges that you grant to users and other roles. Creating roles is an easy way to grant a set of privileges to a group of administrators rather than granting the privileges to each administrator, a privilege at a time. So in time if administrator responsibilities change, you need only change the Role definition once and the changes are automatically propagated to the administrators who have these roles.

Enterprise Manager has one predefined role, the PUBLIC role. By default, the PUBLIC role contains no privileges and is granted to every new Enterprise Manager administrator account created. The PUBLIC role is an easy way to grant privileges to all administrators. By granting a privilege to the PUBLIC role, all administrators get that privilege.

Roles can be based on:

Geographic location

For example, you can define a role for UK administrators to manage UK systems or define a role for Canadian administrators to manage Canadian systems.
Line of business

For example, you can define a role for administrators of the human resource systems or define a role for the sales systems.
Any other IT model

Granting of such roles and privileges guarantees security across all functional areas of Enterprise Manager. That is, if an administrator is restricted to only accessing development databases, then throughout the product, only those development databases on which he or she has been granted privileges will be available.

See Also:

"Creating, Editing, and Viewing Roles" in the Enterprise Manager online help

Organizing Targets as Groups

Because of the ever-growing number of systems and services that administrators are responsible for, Enterprise Manager provides a view that includes only those targets you need to monitor. This view is called a group.

Groups are user-defined sets of targets logically combined to be managed as one. You can use groups in Enterprise Manager to monitor and manage different targets collectively, easily perform administrative operations against the targets, and consolidate and monitor your distributed targets as one logical entity.

For example, you can define a group called TEST that contains all hosts and database targets within your test environment. From the group's home page, you can easily see the overall status and availability of all the targets in your test group, instead of having to check the status of each individual member. You can easily perform maintenance operations against the group, for example, run a weekly job that backs up all test scripts. Even if group membership changes, any jobs submitted to the group automatically keep up with group membership.

From a Group's Home page (see Figure 7-1), whether the group is based on a homogenous set of targets or a heterogeneous set of targets (for example, a business's application), you can:

Easily determine the overall availability of all the members in the group and outstanding alerts.
Drill down and analyze the specifics of a particular target.
Select quick links to targets that are down, links to blackout schedules, and so.
Easily determine the status of members of the groups through the rollup of alerts, with quick drill-down into alert details.

Figure 7-1 Home Page for a Group

Description of setup_group_homepage.gif follows

Description of the illustration setup_group_homepage.gif

There are three types of groups:

Group

A Group can include targets of the same type (for example, all your production databases) or include targets of different types (for example, all targets comprising your business's application).

A benefit of the Group target type is the Summary Metric, which is only available for this type of group. You define a Summary Metric to obtain overall performance information for one target type within the Group including: minimum, maximum, and averages of key performance metrics of all group members. These group averages reflect the overall performance of the group. Using these group averages, you can then compare the relative performance of any target within the group against the group average. This helps you to decide where you should apply your tuning efforts.

For example, if you define a group to monitor your database and OC4J targets, you can choose the:
- Database:Session Activity:Active Sessions metric to be monitored for all the databases in the group
- OC4J:Resource Usage:CPU Usage (%) metric to be monitored for all the OC4J targets in the group

Database group

If your group consists only of database targets, then you can choose to create a Database group. The Database Group Home page focuses on information pertinent to databases.

With creating a Database group, multiple instances – for example, all production databases – can be collected into a group and efficiently monitored on a single screen. You can quickly identify those databases that are down, have the most bottle necks, or have the most severe alert status.

Notice the Wait Time graph. This graph is prominent because it indicates the databases in the group that are having the most performance issues as measured by their wait time.

In addition, you get key availability and performance data on all members of the group with hyperlinks for further drill down. Database groups alleviate the need for cumbersome navigation between multiple instances and prevents performance degradation trends from going unnoticed. See Figure 7-2.

Figure 7-2 Home Page for a Database Group

Description of setup_database_group.gif follows

Description of the illustration setup_database_group.gif

Host group (Figure 7-3)

If your group consists only of host targets, then you can choose to create a Host group. The Host Group Home page focuses on information pertinent to hosts.

By creating a Host group, overview information of the state of the hosts that make up the group is available. The overview information includes status and number of hosts, and information about the memory of the hosts in the group. You can also get the configuration information regarding the hardware and operating system. Charts are available, for example, Most Active Hosts by CPU Usage.

See Also:
"Creating Groups" in the Enterprise Manager online help

Figure 7-3 Home Page for a Host Group

Description of setup_host_group.gif follows

Description of the illustration setup_host_group.gif