Proxy user connection

A proxy connection allows you to connect to a database as one user account and operate with the access and privileges of a different account.
It is typically used to share one database account that has required privileges to other database users without sharing its password. An example of this type of account sharing means that you can allow help desk support personnel to connect to the database using a "helpdesk" account that has correct roles and privileges without sharing the password for this account with them.
There are two terms you need to know when setting up the proxy connection—proxy user and client user.

...

1. create user proxyuser_test identified by proxypassword to create a database user account

   Anchor
   _Hlk41552211 _Hlk41552211

2. grant create session to proxyuser_test to grant the permissions to create session
3. alter user daticaltest grant connect through proxyuser_test to enable the client user, which is daticaltest account, to connect to the database using the proxy account.

...

SQLNET.KERBEROS5_CC_NAME=/tmp/kerbache
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5PRE,KERBEROS5)
SQLNET.KERBEROS5_CONF=/tmp/kerberos/krb5.conf
TRACE_LEVEL_CLIENT=16
SQLNET.KERBEROS5_CONF_MIT = TRUE
NAMES.DIRECTORY_PATH=(TNSNAMES)

NOTE: WINDOWS use following services in sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)

3. Example krb5.conf file

[libdefaults]
default_realm = TEST.DATICAL.NET
default_ccache_name = /tmp/kerbcache
[realms]
TEST.DATICAL.NET = {
kdc = test.datical.net
admin_server = test.datical.net
}
[domain_realm]
.test.datical.net = TEST.DATICAL.NET
test.datical.net = TEST.DATICAL.NET

...

kinit <ADusername>@TEST.DATICAL.NET
example: kinit jnew@TEST.DATICAL.NET

NOTE: For dblinks, you will need forwardable ticket, so use kinit -f instead.

5. Set up a proxy connection with Kerberos

...