| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: disabling a role via a logon trigger
Jeffrey - I'm going to suggest something simpler. It may not work in your
environment. An end user should not have the password the application is
using. I have many third party applications here. Normally there is an
application administrator. I will share the password with that person with
the understanding that they will not share it with anyone else. If an end
user needs to use SQLPlus or another application, then I create them a
separate login. Consider just changing the application password and not
giving the password to anyone else.
Dennis Williams
DBA
Lifetouch, Inc.
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
On Behalf Of Jeffrey Beckstrom
Sent: Tuesday, November 02, 2004 6:10 AM
To: oracle-l_at_freelists.org; ORACLE-L_at_IC.SUNYSB.EDU; oracledba_at_LazyDBA.com;
stant_98_at_yahoo.com; oracle-rdbms_at_yahoogroups.com
Subject: Re: disabling a role via a logon trigger
That would mean having to setup a policy on every table in the system.
>>> Alex <stant_98_at_yahoo.com> 11/1/04 10:26:15 PM >>>
I hope this cak help you solve this. Take a look at Metalink note#
67977.1. It talks about Fine Grain Access Control (FGAC). The note also
gives some examples on how to set it up, which isn't very complex.
HTH
Jeffrey Beckstrom <JBECKSTROM_at_gcrta.org> wrote:
We are running a third party application for which the users are
granted
a role. The role allows the users to update the table applications
tables. The problem is that I do not want a user being able to do an
update outside of the application. I thought I came up with a solution
to this by disabling the role if the the terminal running the
application is not one of the servers we expect, i.e. if the
connection
was via sqlplus from a users PC, the terminal id would not match and I
would disable the role. If the user was granted other roles to view
the
tables, those would remain, just the update role would be disabled.
However, I now find that a database "on logon" trigger can not disable a role. The procedure that I was calling from the trigger to do the disable had authid current user but the problem is the trigger.
Is there any way to disable a role from a trigger, or is there some other way I can disable the role. We do not want users being able to update tables outside of the application.
Jeffrey Beckstrom
Database Administrator
Greater Cleveland Regional Transit Authority
1240 W. 6th Street
Cleveland, Ohio 44113
-- http://www.freelists.org/webpage/oracle-l --------------------------------- Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com/a -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-lReceived on Tue Nov 02 2004 - 13:12:53 CST
 |
 |