Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Passwords in Roles

Re: Passwords in Roles

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: 19 Jan 2007 07:05:36 -0800
Message-ID: <1169219136.055392.326550@l53g2000cwa.googlegroups.com>

On Jan 19, 6:56 am, "franck" <francois.bourda..._at_harfan.com> wrote:
> If your application give acces to table and SP with roles , this give
> you one level of security , because users cannot acces your data if the
> role is not a default role and if the role is not set. You can
>
> Second level, is the password of the role. This is like a user
> password. If you dont know it, you cannot use the role , and therefore,
> have acces to your data or SP etc.
>
> So if a oracle database users try to acces your data from another
> application, like SQLplus, they have to connect, they have to know the
> role name, and they have to know the passord of this role.
>
> In your case, i presume that the 'set role x identified by y' is
> harcoded in yours apps.
>
>
>
> Michael42 wrote:
> > Hello,
>
> > I have recently become responsible for an Oracle 9i database where a
> > set of applications that were written for it extensively use passwords
> > in Oracle Roles. The developer who architected these apps has since
> > retired so I cannot ask him why he did this. It is causing a great
> > hindrance as I prep this database from 10g (exp\imp etc.).
>
> > Are there any sound reasons to store passwords in Oracle Roles in
> > modern Oracle databases, what are your thoughts on this practice?
>
> > Thanks for your feedback,
>
> > Michael42- Hide quoted text -- Show quoted text -

Actually it is better if the setting of the role is done in a included library routine so it is less obvious to those who have access to the source code that the command is being issued.

Managing security this way prevents, as Franc mentioned, users who connect via adhoc tools from automatically being able to access the same data that they have access to via the application.

It is possible for a DBA to generate the create role command with the password in one database so that the role can be created in another database even when the DBA does not know the password. See dbms_metadata.

HTH -- Mark D Powell -- Received on Fri Jan 19 2007 - 09:05:36 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US