Home » RDBMS Server » Security » my I know your opinion about application user ?
icon5.gif  my I know your opinion about application user ? [message #383364] Wed, 28 January 2009 09:03 Go to next message
khosravi
Messages: 68
Registered: April 2006
Member
Hello to all

Some application programmers and designers for their system security deal such as this :
they create a table in database for recording user name an password of users and their application always connect to database by a fixed database user (this the user that created in database ordinary with high privilege and it's username and password in time of connecting provide by application no by operator)

When operators want use application , the application show operator a Login form and get the username and password then application connect to the database by that fixed database user and search the username and password in that table if exists then allow operator use application

But I always say that this manner cause security weakness and eliminate many performance and security controls of database , you can create Roles and users in database and pay them necessary privileges and applications while connecting database get from operators their database username and passwords for connection and dont use fixed user

In your idea useing fixed user (application user) in big and important systems such as bank systems , military systems and ...
is rational ? is it acceptable ? am i right?

please say to me your opinion by reason

thanks so much
Re: my I know your opinion about application user ? [message #383375 is a reply to message #383364] Wed, 28 January 2009 10:12 Go to previous messageGo to next message
Michel Cadot
Messages: 64121
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Use proxy user and secure application roles.

Regards
Michel
Re: my I know your opinion about application user ? [message #383377 is a reply to message #383375] Wed, 28 January 2009 10:33 Go to previous messageGo to next message
Fayyaz
Messages: 7
Registered: April 2005
Junior Member
I think using application username is good instead of a separate database user for each application user. Because, you can have only access to application and not to database. If you have any database tool, you can't login to database and harm it. you can only login to application and based on your application role, you can do some sort of work.

You can secure more as sugegsted by Michel
Re: my I know your opinion about application user ? [message #383508 is a reply to message #383377] Thu, 29 January 2009 00:50 Go to previous messageGo to next message
khosravi
Messages: 68
Registered: April 2006
Member
Fayyaz , it may that every person that use an application
don't has same privileges and assign one database user for application and setting it in source code can increase risk
if someone find it then can damage database
and you wore that
"If you have any database tool, you can't login to database and harm it"


I say that if we define for every user or role it's privileges carefully in database what differ that user use an ordinary application or database tool ?
Re: my I know your opinion about application user ? [message #383511 is a reply to message #383508] Thu, 29 January 2009 00:54 Go to previous message
Michel Cadot
Messages: 64121
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Michel Cadot wrote on Wed, 28 January 2009 17:12
Use proxy user and secure application roles.

Regards
Michel


Study my answer and you will know how to secure your application and database accounts.
Previous Topic: Alert in Enterprise manager regarding SYS login locally
Next Topic: Shutdown database only
Goto Forum:
  


Current Time: Wed Dec 07 02:55:42 CST 2016

Total time taken to generate the page: 0.07466 seconds