| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle security within VB Apps
Hi,
We use Oracle roles to implement security.
An user is granted connect privilege, a role with just select privileges and
one with update privileges. Only the select role is granted default. The
update role comes with a password.
On logging into the database, the program calls an Oracle stored procedure.
This procedure selects the username and an encrypted password from a table
with user-info. The stored procedure decodes the password and tries to grant
the update-role to the user.
The user never sees a decoded password (even when he tries to view ODBC
tracing)
The developers only see the called procedure, but not the contents.
The DBA only sees the encryted passwords.
Only the security department and the DBA can see the encryption algorithm.
You can use any encryption technique you want.
When users try to login outside of the application, they only have select
privileges. (You can suppress this too).
For more information, see the manuals on roles.
Paul
-----Original Message-----
From: Tracy Rahmlow [mailto:Tracy.Rahmlow_at_aexp.com]
Sent: 03 October 2000 00:10
To: Multiple recipients of list ORACLE-L
Subject: Oracle security within VB Apps
Hi,
We currently have several vb apps that connect to oracle through a called
routine. This routine has the password hardcoded to allow the connection.
Our
front-line users do not have access to the password to our production
region,
but obviously our vb developers can figure it out. How do you handle this
situation? I find it hard to believe that there is not a way to encrypt the
password so that the developer can not view it. If there is a 3rd party
tool,
how do you handle preventing a developer from from the application in a
shell
vb app to display the password? I appreciate any info that is provided.
Note:
I am a dba and have never developed a vb app, therefore there may be an
obvious
answer that I am unaware of.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Tracy Rahmlow
INET: Tracy.Rahmlow_at_aexp.com
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists --------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Tue Oct 03 2000 - 02:40:25 CDT
 |
 |