| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: ODBC Bypassing Oracle's Security :-(
A copy of this was sent to Brian Graham <grahamb_at_qouest.net> (if that email address didn't require changing) On Tue, 17 Mar 1998 11:31:07 -0500, you wrote:
>I've set up an Oracle account where I've granted select priviledges
>only on the desired tables. I've then set up synonyms to the tables.
>
> When I used ODBC32 and MsAccess '95, I find that I can update the
>owner's tables directly, and via the synonyms I created. Again, the key
>word is UPDATE. I wanted read-only access.
>
> I've already tried adding a entries into PRODUCT_USER_PROFILE
>disabling updates and ODBC but that didn't resolve the issue. We are
>using Oracle7 32 bit ODBC driver (production) 2.5.3.1.0B .
>
> Any suggestions? I don't intend to turn an inexperienced user loose
>under these conditions. The intent here is to have LINKS to the tables,
>so the user gets updated information. For now I guess I have to go with
>snapshots of the database..
ODBC cannot bypass Oracle security.
That use must have update priveleges as well.
Have you tried logging in via SQL*Plus and seeing if that same user can update the tables?
PRODUCT_USER_PROFILE is a table used by SQL*Plus and will not affect 3'rd party applications.
Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government
Herndon VA
http://govt.us.oracle.com/ -- downloadable utilities
Anti-Anti Spam Msg: if you want an answer emailed to you, you have to make it easy to get email to you. Any bounced email will be treated the same way i treat SPAM-- I delete it. Received on Tue Mar 17 1998 - 00:00:00 CST
 |
 |