Re: Different way of maintaining users?

From: stephen booth <stephenbooth.uk_at_gmail.com>
Date: Sat, 15 Oct 2005 22:59:38 +0100
Message-ID: <687bf9c40510151459g4d74bf30y@mail.gmail.com>

On 14/10/05, Vanessa A. Simmons <vsimmons_at_hes.hmc.psu.edu> wrote:

> We are considering a change to the way our users access the database and our
> applications. We would like to make sure that users are getting to the data
> through the applications only and not using external tools (i.e. SQL*Plus)
> to access the database directly with the hopes that this will help us to
> further secure our databases.

One of the companies I used to work for wanted to do something similar in a Forms app (forms 4.x IIRC). The way they did it was to not grant the table access to the user but instead to a password protected role. The role was granted to the user but not enabled., when the app connected to the database it would enable the role and provide the password (which was hard coded in the application) I guess that you could store the password in an encrypted form in the database or an external file so the application reads it in and decrypts it to use to enable the role.

You'd have to have two users, one to own the schema that only the administrators know the password for (apply the same levels of security as you do for the system/sys accounts) and one that the application uses to access the data.

SQL*Plus isn't your own (or probably even main) problem, there's a certain level of barrier to entry to use it (you have to know SQL). Applications like Access and Excel connecting over ODBC tend to be a bigger problem, there's a lower barrier to entry.

Stephen

--
It's better to ask a silly question than to make a silly assumption.
--
http://www.freelists.org/webpage/oracle-l

Received on Sat Oct 15 2005 - 17:01:48 CDT