Re: .NET, connection pooling and security .

Hi Jared,
The users don't have to authenticate in the application because they've been setup in active directory.
It may be similar to SAP, except we don't have the SAP developers in-house making production changes without telling anyone. That's why I wan't to lock it down. In the past the developers had full access to dev/qa/prod. I've removed full access to qa and prod. qa is the "clean room" before prod and prod is for application sql/dml only - not tweaking. They're looking for other alternative accesses. I've turned on auditing and have sent out emails to their mana-jerks when I see that they've accessed production with one of these user ids, but they don't see any problems and say it's all "water under the bridge".

I trust one or two of the developers to do some of the stuff (in dev first). They know the data better than I do, but not all developers are created equal... I seen some delete and update statements sent to me to run that are missing the where clauses... those people do stuff without telling me and then make a big stink about Oracle mysteriously losing data. I don't have the time to keep playing detective.

I guess I should feel glad that this is the standard :)

thanks.

• Original Message ----- To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com> Sent: Saturday, November 29, 2003 11:14 PM

> Steve,
>
> I'm not a web developer either, but I do know that this
> is a very common method of handling the database connections.
>
> Many 2 tier apps work this way as well. SAP for example.
>
> Unless you have influence on the architecture and can
> present a convincing argument, you best learn how to
> work with it.
>
> You don't give any details about the app either.
>
> Are users required to authenticate? If not, what would
> be the point of requiring db accounts for them?
>
> The number of users is important as well.
>
> Imagine a web app that services 250k users. Do you
> really want that many users in the data dictionary?
> Would you want the DDL overhead of creating/administering
> that many users?
>
> I'm considering some extremes, because there were no
> details provided.
>
> HTH
>
> Jared
>
>
> On Sat, 2003-11-29 at 19:49, Steve Perry wrote:
> > I hope somebody on the list can help me out with this.
> >
> > All of our 3-tier apps are architected with a schema owner (owns all
objects
> > used by an application) and application user (no create privs, but it
does
> > have full dml privs to the schema owner objects).
> > On the web side, connection pooling is setup with 10 connections logged
in
> > (all as the application user).
> > When users connect, the application reads some active directory keys
that
> > tell if the user is a reader, dml user or admin user (all privs).
> >
> > I don't feel the application should be managing security and I'd like to
> > take that responsibility away.
> > The 10 identical connections logged into the database bothers me too.
> >
> > I'd like to make it work similar to our 2-tier apps where we use roles,
> > assign them to a user and they connect individually. We don't have OID
setup
> > and I imagine that would solve this. Short of that, is there any other
way
> > to work around having the 10 identical connections logging in and having
the
> > application maintaining security? Is there another way of assigning the
> > security?
> >
> > I don't have any web development experience and I thought I'd check here
> > first to see how others deal with this. I hope somebody else has
worked
> > this out at their shop.
> >
> > I'm not sure if the answers will change, but it's an all M$ shop, except
for
> > Oracle.
> >
> > Any help would be appreciated.
> > Steve
> >
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.net
> > --
> > Author: Steve Perry
> > INET: sperry_at_sprynet.com
> >
> > Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> > San Diego, California -- Mailing list and web hosting services
> > ---------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Jared Still
> INET: jkstill_at_cybcon.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Steve Perry
  INET: sperry_at_sprynet.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).