Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: logon trigger cannot prevent DBA account from logging in data ba se

Re: logon trigger cannot prevent DBA account from logging in data ba se

From: Jared Still <jkstill_at_gmail.com>
Date: Tue, 4 Apr 2006 16:34:31 -0800
Message-ID: <bf46380604041734v5746fabfx8987e68f9d91b863@mail.gmail.com>


Create a new role for the user, similar to the DBA role if that is what it requires.

Exclude the ADMINSTER DATABASE TRIGGER privilege from the role, revoke DBA from the user and grant the new role to the user.

Any user with the ADMINSTER DATABASE TRIGGER either directly or indirectly through a role cannot be prevented from logging in through the use of a trigger.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

On 4/4/06, TU Lijie <Lijie.Tu_at_comaupico.com> wrote:
>
> Well, in that case, Oracle should only prevent the logon trigger from
> killing sys/system session, while still allow the killing of other sessions.
>
> Anyway, logon trigger does not seem to get what I want, just wondering if
> there is a workaround to this.
>
> -----Original Message-----
> From: David Sharples [mailto:davidsharples_at_gmail.com<davidsharples_at_gmail.com>]
>
> Sent: Tuesday, April 04, 2006 12:42 PM
> To: Lijie.Tu_at_comaupico.com
> Cc: oracle-l_at_freelists.org
> Subject: Re: logon trigger cannot prevent DBA account from logging in
> databa se
>
>
> you cant stop dba accounts from logging into the database. The reason
> being is that if you wrote a login trigger that didnt work then no-one
>

--
http://www.freelists.org/webpage/oracle-l
Received on Tue Apr 04 2006 - 19:34:31 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US