Re: Privileges by session
Date: Fri, 8 Jan 2010 22:56:04 +0100
I tried to follow all mails in this thread, but am not sure if I got all.
At the end, it's a question of control:
*) if the application is running on a dedicated application server, and developers has no acces there, you can create a logon trigger which allows access for the application-account only from these nodes. (ok, it's possible to fake IPs etc, but this is a story for your security.mgr)
*) if the application is running on any PC, any developer could compile his own private version of the application and run it without any way to catch it. (in this case, only hard-core auditing can at least document all changes)
so the first question should be: is there anything which is under your (or company) control - and developers cannot modify this? If you find such a fact, try to transfer it into a secure method to identify developers, and avoid any way to circumvent it.
no help this time, but maybe a hint where to start.
> I have convinced management to allow me to grant read-only access to
> the developers. The problem is that they know the application
> passwords and have been using those passwords to circumvent my
> controls. Is there a way via a trigger, role, etc to change
> individual sessions privileges so they have read only (select)
> permissions? The easiest way would be to change the permissions on
> the applications but that's not an option.
> Thank you,