Home » RDBMS Server » Security » Authenticating Oracle User based on Windows User Id
Authenticating Oracle User based on Windows User Id [message #498888] Fri, 11 March 2011 14:19 Go to next message
infinitenumbers
Messages: 33
Registered: November 2010
Member
Hi Guys,

We are trying to implement the following security to our database.

As of now, the access rights are same for all the windows users logging into the Oracle application with the same Oracle user Id.


But now, we want to improve our security by granting different levels of rights to the users based on their Network Id even though they use the same Oracle User Id to log into the application.

We are not looking for the users to be identified externally. (CREATE USER "OPS$ORACLE-BASE.COM\TIM_HALL" IDENTIFIED EXTERNALLY;
GRANT CONNECT TO "OPS$ORACLE-BASE.COM\TIM_HALL";
)


Please suggest what should be followed to implement this kind of security.


Thank you very much for your time.


[Updated on: Fri, 11 March 2011 14:24]

Report message to a moderator

Re: Authenticating Oracle User based on Windows User Id [message #498891 is a reply to message #498888] Fri, 11 March 2011 14:27 Go to previous messageGo to next message
BlackSwan
Messages: 22508
Registered: January 2009
Senior Member
do as below so we can know complete Oracle version & OS name.

Post via COPY & PASTE complete results of
SELECT * from v$version;


is application 3-tier as below?
user<=>browser<=>WebServer<=>ApplicationServer<=>DatabaseServer

It would be helpful if you followed Posting Guidelines - http://www.orafaq.com/forum/t/88153/0/

Re: Authenticating Oracle User based on Windows User Id [message #498894 is a reply to message #498888] Fri, 11 March 2011 15:00 Go to previous messageGo to next message
Michel Cadot
Messages: 58583
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
1/ NEVER ever use remote OS identification otherwise anyone can connect to your database.

2/ If you want to have different privileges depending on parameters (IP, time or any other) then use Secure Application Roles; these are roles that can only be activated calling a package (associated to the roles). So once the user is connected (you just give him the CREATE SESSION privilege), he calls a procedure and this procedure activates the role(s) depending on the user and associated parameters.

3/ Never use Oracle predefined roles (like CONNECT), they are for Oracle ONLY.

Regards
Michel

[Updated on: Fri, 11 March 2011 15:00]

Report message to a moderator

Re: Authenticating Oracle User based on Windows User Id [message #498969 is a reply to message #498888] Sat, 12 March 2011 05:43 Go to previous message
Michael Hartley
Messages: 110
Registered: December 2004
Location: West Yorkshire, United Ki...
Senior Member

Hi

I'm going to answer your question with a warning.

The use of OPS$ accounts in strongly inadvisable because you are weakening the security of your system. Additionally, the use of shared database accounts is inadvisable.

The use of OPS$ accounts was an administrative convenience widely in practice up to about 10 years ago and was often used to prevent the need to publish unencrypted passwords for batch processing tasks. The use of shared databases accounts is often due to a lack of schema design and poor attention to user security.

These days, OPS$ accounts are the first and most basic mechanism for attaching a database and are always removed during the initial stages of security hardening.

Please read the Oracle security hardening document referenced here.

However, if you really do intend to continue with your strategy, then to get Windows OS authentication you should read the Tim Hall article in more details because the answer to your original question is one paragraph below the example you provided above. If you have lost the article reference it is here.

The part of the article you are looking for discusses SQLNET.AUTHENTICATION_SERVICES in a windows environment.

Kind regards

Michael Hartley

[Updated on: Sat, 12 March 2011 09:50] by Moderator

Report message to a moderator

Previous Topic: How to find out what date view status changed to invalid
Next Topic: how to grant a percentage tablespace
Goto Forum:
  


Current Time: Sat Jul 26 10:11:32 CDT 2014

Total time taken to generate the page: 0.09004 seconds