Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Security Question-Reposted

Re: Security Question-Reposted

From: Rick Wessman <rwessman_at_us.oracle.com>
Date: 30 Nov 1999 11:43:20 -0500
Message-ID: <uso1oq6af.fsf@us.oracle.com>


In addition, you can create the user with a password that is unknown to the user. That way, the user can only connect through the application.

As to the documentation about the feature, I agree that it is definitely incomplete. It slipped by me in 8.1.5. We have documented it much more thoroughly in 8.1.6.

For the moment, Tom Kyte's web site has a white paper that describes how to use the feature.

                                          Rick

"Jonathan Lewis" <jonathan_at_jlcomp.demon.co.uk> writes:

> There is an option in OCI in 8.1, although
> the documentation is far from complete.
>
> You can:
> alter user grant connect through {proxy id} with role {list of roles}
>
> This means that your OCI application can connect
> to the database using a hard-coded user id / password
> (the proxy id) which has no privileges other than a basic
> CREATE SESSION, but be allowed though to act as
> another ID without supplying that IDs password.
>
> In this way, you can changed the real password as
> often as you like. The system can only be subverted
> by someone who - finds the proxy id and password
> from the executable, and then writes their own OCI
> program.
>
>
> --
>
> Jonathan Lewis
> Yet another Oracle-related web site: http://www.jlcomp.demon.co.uk
>
> Keith Boulton wrote in message
> <38397417.5418001_at_read.news.globalnet.co.uk>...
> >On Sun, 21 Nov 1999 16:00:00 +0530, Anurag Minocha
> ><anurag_at_synergy-infotech.com> wrote:
> >
> >>> The application always connects to the same user/schema eg: r2 . I want
> >>> that users should not be able to connect to r2 schema in any way other
> >>> than our application even though they know the password. i.e I want to
> >>> prevent access from sql*plus, crystal reports, etc etc.
> >
> >You cannot. What is sometimes done to reduce the risk of problems is
> >to grant access to a non-default database role with a password so that
> >the role is enabled by your application e.g.:
>
>
>

--

                                        Rick Wessman
                                        Security and Directory Technologies
                                        Server Technologies
                                        Oracle Corporation
                                        rwessman_at_us.oracle.com

       The statements and opinions expressed here are my own and do not
             necessarily represent those of  Oracle Corporation.
Received on Tue Nov 30 1999 - 10:43:20 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US