Re: Creation of profile using PASSWORD_VERIFY_FUNCTION ??? (Was "Security for a group of users ???")

In article <35c1d4b7.366722649_at_news.muc>,   Wolfgang.Rothmayer_at_bmw.de wrote:
> Hi there,
>
> in my efforts to find a security mechanism a newsgroup member
> suggested to use the table PRODUCT_USER_PROFILE.
> The key point is, that up to now this seems only to work for ORACLE
> products (i.e. SQL*PLUS).
> But we need some application level of security where some apps shall
> be granted to a user or a role but the most of other apps will be
> locked for all users.
> This is especially needed for database access through ODBC connections
> (MS-ACCESS).
>
> I know that interessting data can be found in the table v$session in
> the fields OSUSER, TERMINAL, PROGRAM and MACHINE.
> With this fields an identification of an ODBC connection with
> MS-ACCESS can be done.
>
> Another feature which can be used for security is the command CREATE
> PROFILE where a function (scripts) can be specified which is executed
> at logon of any user. This function can be specified with
> PASSWORD_VERIFY_FUNCTION.
>
> Now my questions:
>
> Did anyone of you ever try this feature ?
>
> Did you experience any problems with it ?
>
> Could you kindly point me to samples where this feature is or has been
> used successfully ?
>
> Did anyone of you use the table PRODUCT_USER_PROFILE for other than
> ORACLE applications ?
> If so, are there any problems ?
>
> What is the life cycle of the table v$session ?
>
> Will I be able to use information of this table in a logon
> verifications scripts ?
>
> Many, many thanks in advance for any input.
> Wolfgang.
>
>

H(a/e)llo Wolfgang,

German - Du hast vielleicht meine erste Antwort übersehen, deshalb erlaube ich mir dieselbige hier noch einmal zu wiederholen, da ich glaube dass sie ihren Zweck erfüllt.

English) - You've probably missed my first post on this so I'm reckless enough to re-post it here.

Now if what you really want to do is allow this *group user* to access the database via your NT app, but prohibit any user who knows the *group user* Oracle login to do the same from sqlplus, there is a very simple way do do this.

In the logon process of your NT app add a string (unknown to any user) to the password they type in. In that way they will be able to connect via your app, but not from sqlplus, as the password is not the one theu're really identified with on the Oracle instance.

grant connect to *group user* identified by password + 'secret string'

HTH --
Oliver Willandsen
European Commission
http://europa.eu.int
All remarks are my own and do not necessarily reflect official European Commission policy

-----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum Received on Fri Jul 31 1998 - 12:06:07 CDT