Re: OS authenticated vs. Known passwords

In article <1425.697T1601T12623996_at_rheingau.netsurf.de>, lothar.armbruester_at_rheingau.netsurf.de (Lothar Armbrüster) wrote:

> On 27-Jan-99 15:47:45 Tommy Wareing wrote:
>
> >We're getting two new machines. One's going to be a database server,
> >one's going to be the user server.
>
> >So users will telnet to one box, and run character mode forms 4.5,
> >connected via SQL*NET to the server.
> >We also have some users using SQL*NET directly from their PCs to
> >connect to Oracle accounts with select only access.
>
> >We do not want the users to have access to Oracle accounts that can
> >modify the database with out them being forced to use our forms.
>
> >How do we arrange this? It gets hard to even describe the problem...
>
> Hello Tommy,
> try using roles for this:
>
> We have a role called db_user that allows access to the database. This
> role has a password and it isn't the default role for our users.
> The users themselves just have minimal privileges to connect to the
> database (i.e. create session).
> When they connect via SQL*Plus, they are connected but cannot do much
> harm.
> Only if they use our application they have access to the data. The
> application issues a set role command when it starts.
> This way the users can have thier own Oracle password. They just must
> not
> know the password for the role.
> Even our developers do not need t because they have db_users as thier
> default role.
>
> Hope that helps,
> Lothar
>
> --
> Lothar Armbrüster | lothar.armbruester_at_rheingau.netsurf.de
> Schulstr. 12 | lothar.armbruester_at_t-online.de
> D-65375 Oestrich-Winkel |
>

Lothar .... We are planning on doing the same but we want to avoid hard-coding the password into the applications but don't want to leave any unencrypted password hanging around in the NT registry or ini files. Have you managed to do this? .... Dave Lane

Dave Lane (dlane_at_pt.lu) Received on Wed Feb 03 1999 - 16:03:24 CST