From oracle-l-bounce@freelists.org Sun Oct 16 15:26:04 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j9GKQ45m018531 for ; Sun, 16 Oct 2005 15:26:04 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j9GKPsvX018519 for ; Sun, 16 Oct 2005 15:25:57 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 299DB2009BA; Sun, 16 Oct 2005 15:25:48 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22137-06; Sun, 16 Oct 2005 15:25:48 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 9E596200544; Sun, 16 Oct 2005 15:25:47 -0500 (EST) Message-ID: Date: Sun, 16 Oct 2005 21:22:12 +0100 To: oracle-l@freelists.org From: John Thomas <0racle@toronto.demon.co.uk> Subject: Re: Different way of maintaining users? References: In-Reply-To: User-Agent: Turnpike/6.02-U () Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by Ecartis Content-Type: text/plain; charset=iso-8859-1; format=flowed X-archive-position: 27040 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: 0racle@toronto.demon.co.uk Precedence: normal Reply-To: 0racle@toronto.demon.co.uk X-list: oracle-l X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian) at avenirtech.net X-mailscan-MailScanner-Information: Please contact the ISP for more information X-mailscan-MailScanner: Found to be clean X-MailScanner-From: oracle-l-bounce@freelists.org X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on air891.startdedicated.com X-Spam-Level: X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63 One of the simplest ways of doing this is to change the user's password in the application login, so the password entered is related to, but not the same as, the user's database password. This scheme could be as simple as: database_password := || 'a'; But would usually involve scrambling or encrypting the password using a known algorithm which is also called by the application's "set password" routine. If you use a single account, you may have difficulties with auditing. There are ways round this including identifying the proxy user if you are using the appropriate OCI calls to connect. Cheers, JT In message , Vanessa A. Simmons writes >We are considering a change to the way our users access the database >and our applications. We would like to make sure that users are getting >to the data through the applications only and not using external tools >(i.e. SQL*Plus) to access the database directly with the hopes that >this will help us to further secure our databases. In this scenario, we >would create a high-level user which would be the data source user >(we're using Cold Fusion for our application front-end) that would be >able to run any query on behalf of the user "logged in" to the >application. However, each user would not have his/her own DB account >that requires role and password maintenance. Instead, the programmers >would create a user and role table in the database that would hold this >information (including encrypted passwords) so that the users do not >have individual access to the database.  That would push a lot of the >user maintenance that I deal with on a daily basis to either our >programmers or a help desk technician.  >  >My question is whether or not this is a sound plan and if you have any >concerns about problems we might encounter if we decide to go this >route? Has anyone else done something similar in their environment? >Internal Virus Database is out-of-date. >Checked by AVG Anti-Virus. >Version: 7.0.344 / Virus Database: 267.11.13/123 - Release Date: 06/10/2005 -- Cheers, John Thomas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.12.1/135 - Release Date: 15/10/2005 -- http://www.freelists.org/webpage/oracle-l