Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Granting a role to a session ?

Re: Granting a role to a session ?

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Fri, 02 Jul 2004 22:11:18 -0700
Message-ID: <1088831511.886561@yasure>


Paul Brewer wrote:

> "Daniel Morgan" <damorgan_at_x.washington.edu> wrote in message
> news:1088688485.804450_at_yasure...
> 

>>Richard Elliott wrote:
>>
>>
>>>I want to grant an update role to a user when they connect from a
>>>client app.. This is so I can set up users in Oracle with no update
>>>privileges due to the same users using ODBC to run queries. I want the
>>>users to only be able to update the data if they are running a client
>>>that has row level security code in it. If I grant the update role to
>>>the user in the client, what keeps them from running the client, then
>>>connecting ODBC and running an update.
>>>
>>>What I want is to be able to alter the session, not the user. Is this
>>>possible ?
>>>I don't see it in my books. Of course if I'm totally off track, some
>>>direction would be much appreciated. I read in other post where this
>>>was the preferred method, but see a large hole in it as I understand
>>>it.
>>>
>>>Thanks in advance for the help.
>>
>>Use an AFTER-LOGON trigger
>>http://www.psoug.org/reference/ddl_trigger.html
>>and session information about the tool being used to connect to
>>grant the privilege on-the-fly.
>>
> 
> One snag with that approach is I can just rename sqlplus.exe to
> my_official_app.exe. OP might be better off looking at implementing row
> level security in the database, or doing updates via stored
> procedures/packages. Then the DBA doesn't need to worry what tool clients
> are using to connect.
> Alternatively there's the old solution of password protected roles.
> I must say though that in my experience this all becomes somewhat less
> relevant these days, what with everything new being three tier now, rather
> than client/server.
> 
> Regards,
> Paul

One solution to the snag. If they don't log on with the correct tool ... terminate the session.

Problem solved!

-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)
Received on Sat Jul 03 2004 - 00:11:18 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US