Re: Role/Priv Implementation Problem

Bob,
try the following:

1. Split application roles into two sets: read-only privilege roles and full privilege roles.
2. Grant both read-only privilege roles and full privilege roles to corresponding users.
3. Make ONLY read-only privilege roles their default roles (ALTER USER DEFAULT ROLE...)
4. Make changes to your applications to issue SET ROLE statements to enable all full privilege application roles right after logging to Oracle. It will allow users(if they are granted full privilege application roles) to perform all steps allowed by application. At the same time users logged to Oracle via any other tool (e.g. MS Query) will only have read-only privilege roles enabled and therefore would not be able to make any database changes.

Solomon.Yakobson_at_entex.com

In article <5kbcmh$ci7_at_queeg.apci.net>,
  rengland_at_apci.net (Bob) wrote:
>
> Our end users have Oracle database access via in-house applications and
 through
> Microsoft Query. We are looking at the best way to implement security: using
> Oracle roles/privs vs creating user tables that specify access privs.
>
> The problem we are having with the Oracle roles/privs is that even when the
> users are not in the application, they still have the roles available in
 Query.
> We don't want them to have anything but read-only when outside the
 application.
>
> Any suggestions that might allow us to remain with Oracle roles and limit
> access outside the apps or is this perhaps not a desired way to go?
>
> Any suggestions would be greatly appreciated!

-------------------==== Posted via Deja News ====-----------------------
      http://www.dejanews.com/     Search, Read, Post to Usenet