Re: Restricting user access to a database?

Originally posted by Tim Kearsley
> Hi all,
>
> We have a situation here where a number of users access an Oracle
> 8.1.7.2 database running on AIX 4.3.3 on RS6000 hardware. The clients
> use PCs running an Oracle Forms application on Windows 2000.
>
> Suddenly, out of the blue, management has got worried about users
> making "unauthorised" access to the database by running SQLPlus and
> issuing their own queries (or updates, inserts etc.). I've therefore
> been asked as to how users' access can be restricted to just using the
> application.
>
> I have responded initially by making the point that if the client PCs
> have suitable ODBC drivers installed (and I believe they do) then
> access could be by a whole range of applications - Microsoft's Word,
> Excel and Access are obvious candidates.
>
> So, the question:
>
> Do you see any way of restricting the users to only accessing the
> database through the "authorised" application? I don't believe
> de-installing ODBC and SQLPLus on every client is an option and I
> don't see how anything can be done at the server end. After all, a
> SQLNet connection is all the database sees and I presume it doesn't
> "know" whether that connection originates from a Forms application or
> SQLPlus or anything else?
>
> Any thoughts very welcome.
>
> Regards,
>
> Tim Kearsley
> Database Manager
> Milton Keynes Council

See "Secure Application Roles" here for a solution:

http://technet.oracle.com/docs/products/oracle9i/doc_library/release2/appdev. 920/a96590/adgsec01.htm#1005014

Ideally, all the security and business rule should be built into the database itself, so that users CAN log in to SQL Plus and view/amend data without compromising security or integrity. Then the client aplication's job is merely to make access more user-friendly, and it is easy to replace e.g. Forms with ASP or whatever at a future time. However, it's probably too late for that approach in your situation.

--
Posted via http://dbforums.com