Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: Mladen Gogala <>
Date: Sat, 21 Jun 2003 13:37:29 -0700
Message-ID: <>

OPS$ accounts are, basically, Oracle's attempt to implement single sign-on. OPS$ accounts are not a problem, as long as there is no network involved because your oracle database is as secure as the underlying OS. You can not have more security. When there is a network involved, everthing is OK as long as one can totally control it. In other words, no nodes should be addedd to the network without a knowledge of the DBA. In the era of laptops when anybody can walk in and plug his laptop in a departmental ethernet segment, this cannot be controlled. If you add V internet to the equation, situation becomes even worse.
Single sign-on, on the other hand is not insecure, as long as it is done properly. There are many single-sign on methods (Kerberos, RADIUS are the first ones that come to mind) but they all cost money and are usable only with the advanced security option. Biometrics doesn't yet instill any confidence in me. Fingerprints (the so called Yakuza method) are not so easy distinguish among as one would think.

On 2003.06.21 12:04, Arup Nanda wrote:
Hi Pete,

I think you misunderstood. OPS$ accounts are weaker than the regular accounts; but I maintain that they are not so insecure that they should be outright banned. My position is they can be created if needed, but the privileges should be granted judiciously, something that has to be done even in regular accounts. OPS$ accounts with DBA privs - a big NO NO. About the project you mentioned where the user admins are not really DBAs but regular users who create or manage users via Forms - why not create a procedure under user sys to manage all that and give execute privs to the users, instead of giving them sweeping privs like DBA? That way your OPS$ accounts are limited to the operations performed by this procedure, but not anything else.
HTH. Arup

Received on Sat Jun 21 2003 - 15:37:29 CDT

Original text of this message