RE: ODCB security

You're only worried about ODBC? What about OCI or OO4O? Is it OK if they connect like that? I think you'll find why putting Security and Business logic in the database is so often the recommendation of ... well, people on this list. A valid account should only be allowed to perform valid actions independent of the tool used to format the request to the database.  

I guess you could separate your accounts. Give the users a different username and password for the application which in turn logs them into the database with the username the database is expecting. That way they have no way to login to the database at all and yet they will still have their own user on the database side ( I assume this is client-server that needs individual accounts and not n-tier that would just connect to the db in a pool with a service account)

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Steiner, Randy Sent: Tuesday, June 12, 2007 12:33 PM
To: oracle-l_at_freelists.org
Subject: ODCB security  

Our app connects to the 10gr2 db via oledb. My manager wants to ensure that users, with valid accounts, cannot connect to the db via odbc with stuff like Access or Excel. I know I can put a logon trigger to look for the name of the app and refuse connection. But is there a better way? I am afraid the logon trigger is too easy to beat.  

Thanks

Randy  

>>> This e-mail and any attachments are confidential, may contain legal, professional or other privileged information, and are intended solely for the addressee. If you are not the intended recipient, do not use the information in this e-mail in any way, delete this e-mail and notify the sender. CEG-IP1

--
http://www.freelists.org/webpage/oracle-l