Re: Oracle accounts / os accounts

> On their systems, they create users at the OS
> level, assign them to groups, and grant db privileges to those groups
> -- all outside the DB, it seems.

One of the nice features of SQL Server is that it can use domain authentication. So when you sign on to your workstation and authenticate to the domain, you have also authenticated to any SQL Server instance that you have been given privileges to. SQL Server calls this "Windows authentication". SQL Server also has "database authentication" where the userid/password is stored in the database (similar to Oracle's SYS.USER$ table).

So your SQL Server admins can simply tell the SQL Server instance that a domain account (XYZ\user) is now granted access to the instance. And that user has been granted privileges on tables, databases, system privileges, or been granted a role.

In this respect, SQL Server is nice because it enjoys hooks in to the server and the domain. One can always argue that these hooks lead to security holes, so all is not rosy. And some SQL Server objects an be owned by domain users that leave the company...

The closest I've seen in Oracle to this is a product called Single Sign-On (SSO). With SSO, the user authenticates once and then is able to connect to any database they have access to.

> I've always used roles, and have
> played with OS authentication, but I've never seen anything in Oracle
> that does what I understand them to be describing.

I've used roles too, in both Oracle and SQL Server. Roles in both are essentially the same.

HTH,
Brian

-- 
===================================================================

Brian Peasland
oracle_dba_at_nospam.peasland.net
http://www.peasland.net

Remove the "nospam." from the email address to email me.


"I can give it to you cheap, quick, and good.
Now pick two out of the three" - Unknown