RE: Privileges by session
Date: Thu, 7 Jan 2010 15:22:01 -0600
Message-ID: <CB340D772D072D47A5DE07533432A7E50E2E79E5_at_exch1.soc.int>
I would rather that they aren't in production at all but that's a losing battle here. I'm content just being allowed to lock them down to read-only.
WGB
From: Jackie Brock [mailto:J.Brock_at_cablelabs.com]
Sent: Thursday, January 07, 2010 3:10 PM
To: Blanchard, William
Cc: oracle-l_at_freelists.org
Subject: RE: Privileges by session
I just read your other post. Since you're talking about an application that also does DDL, I would look at using schema level triggers - raise an application error if the program being used isn't the application.
Honestly, though, if the purpose is troubleshooting the application, there shouldn't be any reason why you couldn't log them out immediately if they're not logging in via the application - and I'm a developer (most of the time)!
-Jackie
Jackie D. Brock
Database Specialist - Systems Evaluation
CableLabs(r)
858 Coal Creek Circle
Louisville, CO 80027
Email: j.brock_at_cablelabs.com <mailto:j.brock_at_cablelabs.com>
303-661-3347
From: Blanchard, William
[mailto:wblanchard_at_societyinsurance.com]
Sent: Thursday, January 07, 2010 1:45 PM To: Jackie Brock Cc: oracle-l_at_freelists.org Subject: RE: Privileges by session Do you have an example of changing the role for a session? WGB
From: Jackie Brock [mailto:J.Brock_at_cablelabs.com] Sent: Thursday, January 07, 2010 2:43 PM To: Blanchard, William Cc: oracle-l_at_freelists.org Subject: RE: Privileges by session You could assign a read-only role based on the session info.:-)
-Jackie
Jackie D. Brock Database Specialist - Systems Evaluation CableLabs(r) 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock_at_cablelabs.com <mailto:j.brock_at_cablelabs.com> 303-661-3347
From: Blanchard, William
[mailto:wblanchard_at_societyinsurance.com]
Sent: Thursday, January 07, 2010 1:42 PM To: Jackie Brock Cc: oracle-l_at_freelists.org Subject: RE: Privileges by session I thought about just restricting to IP address andrestricting logons via a trigger but I need to allow the developers read access for troubleshooting production issues.
WGB
From: Jackie Brock [mailto:J.Brock_at_cablelabs.com] Sent: Thursday, January 07, 2010 2:29 PM To: Blanchard, William Subject: RE: Privileges by session I've set up login triggers to prevent logins based onthe OS username before - it worked very well, but it does assume that they aren't using a central account. I'm not sure you want to allow someone to log in to an application from a central account, anyway? You could also restrict based on IP - any of the information that's stored in the session variables. Heck - you could even restrict it based on the program being used - I've done that as well. :-)
HTH! -Jackie
Jackie D. Brock Database Specialist - Systems Evaluation CableLabs(r) 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock_at_cablelabs.com <mailto:j.brock_at_cablelabs.com> 303-661-3347
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Blanchard, William Sent: Thursday, January 07, 2010 1:22 PM To: oracle-l_at_freelists.org Subject: Privileges by session Greetings, I have convinced management to allow me to grantread-only access to the developers. The problem is that they know the application passwords and have been using those passwords to circumvent my controls. Is there a way via a trigger, role, etc to change individual sessions privileges so they have read only (select) permissions? The easiest way would be to change the permissions on the applications but that's not an option.
Thank you,
WGB -
This email and any information, files, or materials transmitted with it
are confidential and are solely for the use of the intended recipient.
If you have received this email in error, please delete it and notify
the sender.
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jan 07 2010 - 15:22:01 CST