Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security Problem

Re: Security Problem

From: Uri Margalit <urimr_at_ibm.net>
Date: 1997/04/14
Message-ID: <335299a4.3174032@news.ibm.net.il>#1/1

On Mon, 14 Apr 1997 01:57:18 +0800, Michael Ho <"infoage_at_hk.super.net, hom"@clsasia.com> wrote:

>Insoo Kang wrote:
>>
>> We have an application that allows you to delete and update records in
>> a table. The problem is that a same user can login using sqlplus and
>> delete the entire records in a table. In order to prevent this, I
>> came up with the following scheme: revoke table access privilege if
>> a user is connecting via sqlplus or any other applications.
>>
>> I can write a trigger that sends a message to a pro*c application that
>> revokes table access privilege, but the problem is that v$session is a
>> view not a table so I can't write a trigger based on v$session view.
>> Does anybody have a suggestion how I can accomplish this whether it be
>> through a trigger or some other means?
>
>In the design stage, you should already consider separate the database
>password with application password.
>
>If you only enable APP say, the user can still rename SQL*PLUS to APP
>and run it. Have you consider this ?

What you can do is use the user_product_profile table to prevent the user do some action in SQLPLUS. See how to configure in the appendix in SQLPLUS book.

This solve only half the problem, becuase the user can download proc from the internet and write a little program to acomplish is criminal action. To solve this you can grant the privilege by role and give password to the role when only your application will know the role's password so even if the user can write the program he needs to know the password of the role.

Uri Margalit
urimr_at_ibm.net Received on Mon Apr 14 1997 - 00:00:00 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US