Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Thu, 28 Oct 2004 05:44:27 +1000
Message-Id: <417ffa8b$0$22672$afc38c87@news.optusnet.com.au> 





Turkbear wrote:


> premmehrotra_at_hotmail.com (Prem K Mehrotra) wrote:
> 




>>I am working on Sarbarbes Oxley compliance for Oracle databases

>>version 8.1.6.2 on HP UNIX  11. We have a third party application

>>which requires a login for each user in the database. Application

>>security is controlled through the application, so users can do only

>>certain things from the application user interface.

>>

>>Application is a Web based Oracle Forms 6i  application which runs on

>>a Windows Server, it then connects to database on HP UNIX.

>>

>>However, the problem is that if users can connect to database directly

>>using sqlplus, there is no security built in the database  to control

>>what a user can do, they can delete all the data if they want. Since,

>>it is a third party application, I cannot change their code.

>>

>>

>>1. Since the database connection is made from windows Server to UNIX

>>server and no

>>end user has login on Windows Sever or NIX server, I was thinking of

>>creating a logon trigger for every end user account and verifying that

>>connection is made only from Forms server. This way, they cannot  make

>>direct connection from their PC. Does anyone see a problem with it?

>>

>>

>>2. My auditors  told me Oracle has some tool where some random

>>characters are added to password, so user will not know these

>>characters (so they cannot make direct connection?)/  I have not heard

>>of anything like that until now. Does anyone have more information on

>>it? Auditors said instead d of creating  logon triggers, I can

>>probably use this tool.

>>

>>Thanks a lot?

>>

>>Prem


> 
> Have all security permissions established by roles  and only assign a user
> to a role inside the application.






Just out of interest, and ignoring for the moment that it is roles that are
granted to a user and not the other way around: how do you propose this
should work? You mean the application grants roles on log on? And then
presumably it revokes roles on log-off? And if the user crashes out and
doesn't log off cleanly??



Of course, you have to do the revoking bit, because otherwise your user
would continue to possess the security rights associated with the role, and
could therefore exercise them by hacking into the back-end directly.



And how would the application know what role to grant to which user? Are you
proposing to duplicate the database's entire set of user-role grants at the
application level?



HJR

Received on Wed Oct 27 2004 - 14:44:27 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US