Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Restricting user access to a database?

Re: Restricting user access to a database?

From: Jim Kennedy <kennedy-down_with_spammers_at_no_spam.comcast.net>
Date: Tue, 15 Jul 2003 15:18:43 GMT
Message-ID: <nXUQa.69700$ye4.47543@sccrnsc01> 





"Tim Kearsley" <tim.kearsley_at_milton-keynes.gov.uk> wrote in message
news:725736ef.0307150247.72d6f12e_at_posting.google.com...


> Hi all,

>

> We have a situation here where a number of users access an Oracle

> 8.1.7.2 database running on AIX 4.3.3 on RS6000 hardware.  The clients

> use PCs running an Oracle Forms application on Windows 2000.

>

> Suddenly, out of the blue, management has got worried about users

> making "unauthorised" access to the database by running SQLPlus and

> issuing their own queries (or updates, inserts etc.).  I've therefore

> been asked as to how users' access can be restricted to just using the

> application.

>

> I have responded initially by making the point that if the client PCs

> have suitable ODBC drivers installed (and I believe they do) then

> access could be by a whole range of applications - Microsoft's Word,

> Excel and Access are obvious candidates.

>

> So, the question:

>

> Do you see any way of restricting the users to only accessing the

> database through the "authorised" application?  I don't believe

> de-installing ODBC and SQLPLus on every client is an option and I

> don't see how anything can be done at the server end.  After all, a

> SQLNet connection is all the database sees and I presume it doesn't

> "know" whether that connection originates from a Forms application or

> SQLPlus or anything else?

>

> Any thoughts very welcome.

>

> Regards,

>

> Tim Kearsley

> Database Manager

> Milton Keynes Council




Tim,


Others have suggested using the program name in the v$session table.  That
is not a bad idea.  One flaw is that a smart user will just rename the
sqlplus program and voila!  But then again they might not know about that.
One thing you can do is turn log on auditing on.  It captures all that
information.  Then I would send out an notice saying something like:



Managment has expressed a concern that users of xxx application might
attempt to use other tools to access the database.  To address that concern
I am currently logging all connections to the database.  This means that if
a user uses an unathorized application to log on to the database it will be
recorded in a log table.  These logs will be reviewed daily and if an
unauthorized application accesses the database that employee's manager will
be informed for management to take appropriate disiplinary action.



If people know they are being audited then there is less likelyhood they
will even try.


Jim
Received on Tue Jul 15 2003 - 10:18:43 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US