Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Security Question-Reposted
In addition, you can create the user with a password that is unknown to the
user. That way, the user can only connect through the application.
As to the documentation about the feature, I agree that it is definitely incomplete. It slipped by me in 8.1.5. We have documented it much more thoroughly in 8.1.6.
For the moment, Tom Kyte's web site has a white paper that describes how to use the feature.
Rick
"Jonathan Lewis" <jonathan_at_jlcomp.demon.co.uk> writes:
> There is an option in OCI in 8.1, although
> the documentation is far from complete.
>
> You can:
> alter user grant connect through {proxy id} with role {list of roles}
>
> This means that your OCI application can connect
> to the database using a hard-coded user id / password
> (the proxy id) which has no privileges other than a basic
> CREATE SESSION, but be allowed though to act as
> another ID without supplying that IDs password.
>
> In this way, you can changed the real password as
> often as you like. The system can only be subverted
> by someone who - finds the proxy id and password
> from the executable, and then writes their own OCI
> program.
>
>
> --
>
> Jonathan Lewis
> Yet another Oracle-related web site: http://www.jlcomp.demon.co.uk
>
> Keith Boulton wrote in message
> <38397417.5418001_at_read.news.globalnet.co.uk>...
> >On Sun, 21 Nov 1999 16:00:00 +0530, Anurag Minocha
> ><anurag_at_synergy-infotech.com> wrote:
> >
> >>> The application always connects to the same user/schema eg: r2 . I want
> >>> that users should not be able to connect to r2 schema in any way other
> >>> than our application even though they know the password. i.e I want to
> >>> prevent access from sql*plus, crystal reports, etc etc.
> >
> >You cannot. What is sometimes done to reduce the risk of problems is
> >to grant access to a non-default database role with a password so that
> >the role is enabled by your application e.g.:
>
>
>
--
Rick Wessman Security and Directory Technologies Server Technologies Oracle Corporation rwessman_at_us.oracle.com The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation.Received on Tue Nov 30 1999 - 10:43:20 CST