Re: keeping odbc-users out?

Mark Wagoner wrote:

> Since you can't tell an ODBC user from a SQL*Net user on the server
> side, about the only option I have found is to restrict access to
> certain tables through roles.

that's what i didn't want to hear ... i was hoping that i missed something there ;-)

> Of course, this change would require you to go through your client
> apps and have it issue the SET ROLE statement when it starts up. This
> should not be a big change but could take some time, depending on the
> size of your application. We use the SET ROLE within the app as
> another safeguard. If the SET ROLE statement returns an error, the
> user has not been granted the role and, therefore, is not authorized
> to use the application. This is how we restrict what user can do what
> functions.

that's definitly better than my "identified externally"-approach, because it won't break our java-client.

of course, it's security through obfustication, but i think it might be just obfusticated enough for our customers ;-)

thx,
juergen Received on Wed Sep 30 1998 - 02:28:22 CDT