Re: Security question: Forms / SQLPlus

From: Albert Ratzlaff <albert_at_infonet.com.py>
Date: Sat, 26 Sep 1998 09:36:14 -0300
Message-ID: <360CDFBE.7F140D9D_at_infonet.com.py>

Martin Bronstein wrote:

> Assign a select only role to the user as his default role (Use the ALTER USER
> command). This way, accessing the database via SQL*Plus, etc., will only allow
> the user to view the data. In your application, dynamically set the role for
> that user to whatever you want him to have for that session.
>

Everything that you can do in an application, you can also do in interactive SQL. How do you stop the user from using the ALTER USER command? The ORACLE documentation recommends using encrypted passwords in the application, but that isn't very smart from a security point of view. The problem is not ORACLE, the problem is Client/Server.

Regards
Albert Ratzlaff
Hint: there are ways to garantee a reasonable security using certain combinations of roles, triggers and stored procedures. But it is not something easily grafted onto existing applications, it has to be in the original design. Received on Sat Sep 26 1998 - 14:36:14 CEST

This message: [ Message body ]
Next message: Maitee Alexandria: "Oracle Audit - Please Help me"
Previous message: Jeremy Russell: "Re: documenting an unknown table structure"
Maybe in reply to: Andrew KEATING: "Security question: Forms / SQLPlus"
In reply to Martin Bronstein: "Re: Security question: Forms / SQLPlus"
Next in thread: Andrew KEATING: "Re: Security question: Forms / SQLPlus"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message