Would this work? Security

[Quoted] [Quoted] Using Developer Forms and giving each user access to the database tables poses a security problem. Specifically, the user could use a tool such as SQL Plus to directly update tables. One proposed solution is to write PL/SQL processes and associate the Forms data blocks with the processes and only give the user privileges to execute the process and no direct access to the table. I have an objection to this solution; it "breaks" the QBE functionally that are built into forms. So, I thought of another solution but not being very experienced in this environment wonder if it would really work.

My other solution goes something like this. Have the normal username that the user logs on with. Then have the PL/SQL code use built-in functions to log on to a second user name using a hard coded password or a password pulled from a table. There could be a pool of these secondary usernames. The code could first look to see what usernames are in use, and then select a username from the pool that is not currently in use. These secondary usernames are never exposed to the users, and they need never know that the system logged off their personal username and re-logged on to a secondary username.
Of course, only the secondary usernames have direct privileges to access the tables and the primary (personal)usernames do NOT.

Is there any reason a scheme like this would not work? Comments? thanks,
Mike Received on Fri Sep 08 2000 - 04:53:16 CEST