Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Restrict certain database access using 3rd party tools.

RE: Restrict certain database access using 3rd party tools.

From: Mercadante, Thomas F <NDATFM_at_labor.state.ny.us>
Date: Thu, 03 Oct 2002 09:48:43 -0800
Message-ID: <F001.004DF95F.20021003094843@fatcity.com>


Rick,

Can you change the forms application?
If so, then a really simple way of doing this is to grant insert, update and delete access to the tables to an Oracle role.

When the form starts, enable that role to grant access to the tables. By default, the role would not be enabled for the user.

You could even extend this idea by having a password required on the role, and getting that password inside the form. that way, a sqlplus user could not enable the role.

the other ideas restricting access by program name do not work because you do not have control of the PC desktop.

Another thing I've seen done is to establish "shadow accounts". this idea involves a person having an OPS account with read-only access to the db tables. the user also has another oracle account that has total access to all tables. but the user doesn't even know this account exists. again, the forms application is run, connecting via the OPS account. the first thing the form does is to query a lookup table, finding the OPS account and the shadow account/password, and re-connects to the database using this account.

this is the best idea I have found for protecting the database.

hope these help.

Tom Mercadante
Oracle Certified Professional

-----Original Message-----
Sent: Thursday, October 03, 2002 10:33 AM To: Multiple recipients of list ORACLE-L

Hi All,

We have users that have OPS$ accounts that have full DML privs when they run forms application via citrix. Currently they do not have sqlplus,etc. There is a requirement that some can have sqlplus,toad,etc. I know you can set up security for sqlplus,etc using product_user_profile but is there a way to allow only SELECT when using a 3rd party tool such as TOAD.

Thanks
Rick

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author:
  INET: Rick_Cale_at_teamhealth.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Mercadante, Thomas F
  INET: NDATFM_at_labor.state.ny.us
Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Oct 03 2002 - 12:48:43 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US