Re: Implementing security

[Quoted] Our approach has been to use an application role which has all the relevant object privileges for the application assigned to the role. The role is password protected and enabled in the application logon form. We don't see a need to change this password as long as the logon form source code is adequately protected.

We developed a sort of security sub-system in Forms which is common to all our applications as part of our inhouse menuing standard. The security sub-system allows profiles to be defined which have application functionality (menu items) assigned to them as required. Each end-user is assigned to a profile that is relevant for them to perform their job.
Our custom menu system then builds their menu on logon based on what profiles they are assigned which indicates which application functions they have access to.

Other security features we use are automatic timeouts after a certain period of inactivity.
Each end-user has an oracle account which is host-authenticated through the OS.
Password standards are enforced on the OS accounts. For C/S systems we are investigating third-party products such as sql<>secure to address password standards.

I wasn't real sure what you were after but hope this helps. Mal.

Michael Leung wrote:
>
> Hi,
>

> I would like to know what the proper way of handling user security in
> Oracle applications should be. I know that I can define an application
> role and then set the role in an application (Oracle Forms) with a password
> to limit user to access unnecessary objects. However, I find that this
> approach seems not very flexible for security management purpose because I
> need to re-compile the source code everytime I has changed the password.
>
> Please share any experience + good reference you have. Thanks in advance.
>
> Michael
Received on Tue Mar 11 1997 - 00:00:00 CET