Would this work? Security
Date: Fri, 08 Sep 2000 02:53:16 GMT
Message-ID: <wwYt5.177215$i5.2541729_at_news1.frmt1.sfba.home.com>
[Quoted] [Quoted] Using Developer Forms and giving each user access to the database tables poses a security problem. Specifically, the user could use a tool such as SQL Plus to directly update tables. One proposed solution is to write PL/SQL processes and associate the Forms data blocks with the processes and only give the user privileges to execute the process and no direct access to the table. I have an objection to this solution; it "breaks" the QBE functionally that are built into forms. So, I thought of another solution but not being very experienced in this environment wonder if it would really work.
My other solution goes something like this. Have the normal username that
the user logs on with. Then have the PL/SQL code use built-in functions to
log on to a second user name using a hard coded password or a password
pulled from a table. There could be a pool of these secondary usernames. The
code could first look to see what usernames are in use, and then select a
username from the pool that is not currently in use. These secondary
usernames are never exposed to the users, and they need never know that the
system logged off their personal username and re-logged on to a secondary
username.
Of course, only the secondary usernames have direct privileges to access
the tables and the primary (personal)usernames do NOT.
Is there any reason a scheme like this would not work? Comments?
thanks,
Mike
Received on Fri Sep 08 2000 - 04:53:16 CEST