Re: Application userid security

spamdump_at_nospam.noway.nohow (Ed Stevens) wrote in message news:<3cb58811.242329681_at_ausnews.austin.ibm.com>...
> This sounds intriguing. I don't think an internal firewall is in the cards,
> but setting that aside for the moment, let me explain some problems and see
> where that takes us.
>
> First, the legitimate production users are not a small group of selected clerks,
> but virtually any of a few thousand users. This will diminish as the half-dozen
> or so apps that are currently written as client-server are converted to browser
> based. Of course, with the browser based apps, the the client machine (from
> Oracle's perspective) is the web server. (We maintain test and production
> versions of that as well).

If you'll use browser based application, then your problem will be solved. That's a middleware tier (as Mr. Vladimir point out). Your database will be accesible only from web server and no one can get into your DBs by SQL*Plus or something like this.

> Second, the developers do occasionally have legitimate need to get into the
> production DB outside of the app -- to fix data in resolving production
> problems. Using a firewall to lock them out based on machine id or IP address
> would prevent this. Our current strategy in these situations is to have them
> request a "special" userid which we create and give to them, and then drop when
> their fix is done.

No problem at all. Your web based application should use a secret password, some kind of hash for example and you developers will use their private accounts. Do not forget to turn auditing on access by these accounts.

--
_________________________________________

Dusan Bolek, Ing.
Oracle team leader

Note: pagesflames_at_usa.net has been cancelled due to changes (maybe we
can call it an overture to bankruptcy) on that server. I'm still using
this email to prevent SPAM. Maybe one day I will change it and have a
proper mail even for news, but right now I can be reached by this
email.