Re: Security for group of users ???

In article <6pi14s$imc$1_at_schbbs.mot.com>,   "Alan D. Mills" <alanmNOSPAM_at_uk.europe.mcd.mot.com> wrote:
> Not too sure how to disable SQL*Plus for a group - maybe some code in
> login.sql?
>
> Anyway, I would personally question having a number of different people all
> log in to Oracle under the same 'UserGroup' account. You lose your
> tracablity this way. You will have no idea of exactly which person is doing
> what at any moment and the task of diagnosig some problem can get really
> hairy if you can;t find the 'culpret'.
>

Just because one might use a generic Oracle user, such as *general*, *dbm* or *dba* doesn't exclude user activity tracking. You can quite easily implement it from the application - by using their NT login - and passing *that* to triggers in the database (BEFORE DELETE, AFTER DELETE etc.)

> I think that what you should be implementing is user roles and have each of
> the users in question assigned to a 'UserGroup' role which has the
> appropriate privaliges defined.
>

I agree, one should implement roles also.

> As for passwords, if you want to change them all at the same time then I'm
> sure you could write some code to dynamically retrieve the list of names
> assigned to the role in the format of your 'change password' command.
>
> My 2p worth...
>
> --
> Alan D. Mills
>
> Wolfgang.Rothmayer_at_bmw.de wrote in message <35bc75f2.14781714_at_news.muc>...
> >Hi there,
> >
> >we are seeking for a security mechanism to hinder the use of sqlplus
> >for a group of users. No user of this group should be able to execute
> >a SQL command if logged in into a database.
> >
> >On the other hand, we have a NT app where this user group gets logged
> >in into this database. Login is done via a group user as the
> >administration effort to handle each user differently is to high.
> >
> >Our aim is to minimize the adminstrative effort to change the password
> >for the "group user".
> >
> >Any input is greatly appreciated.
> >
> >Wolfgang.
>
>

Now if what you really want to do is allow this *group user* to access the database via your NT app, but prohibit any user who knows the *group user* Oracle login to do the same from sqlplus, there is a very simple way do do this.

In the logon process of your NT app add a string (unknown to any user) to the password they type in. In that way they will be able to connect via your app, but not from sqlplus, as the password is not the one theu're really identified with on the Oracle instance.

grant connect to *group user* identified by password + 'secret string'

HTH --
Oliver Willandsen
European Commission
http://europa.eu.int
All remarks are my own and do not necessarily reflect official European Commission policy

-----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum Received on Tue Jul 28 1998 - 09:34:34 CDT