RE: ** ORACLE Forms security **
Date: Wed, 12 Aug 1992 16:13:00 GMT
Message-ID: <12AUG199211130446_at_watson.bms.com>
>You can limit user access to your oracle database creating a special view
>for your table which nows at run time, if it is running from SQL*Plus or IAP:
>
>
>0. You need ORACLE V6
>
>1. Create your table (table_name)
>
>2. Create a view like
>
> CREATE VIEW view_name AS
> SELECT *
> FROM table_name
> WHERE EXISTS (SELECT 1
> FROM sys.v_$session S,sys.v_$process P
> WHERE addr=paddr
> AND S.username=user
> AND (INSTR(program,'IAP') <> 0 OR command=3)
> AND terminal=USERENV('TERMINAL'))
> WITH CHECK OPTION;
>
>"command" includes the actual command (SELECT=3,INSERT,...)
>"program" includes the actual program name (IAP,SQLPLUS,...).
>
I don't wish to nit pick. But the user can avoid this security as follows:
- copy the sqlplus executable to his/her area.
- rename the sqlplus executable to iap.exe
- assign symbol or logical as appropriate to the o/s
egs. in VMS sqlplus == "$<device_name>:<directory>iap.exe"
4. Now using iap.exe one can execute sqlplus
Then sys.v_$process.program will have the string IAP
>
>3. ORACLE-user "SYS" must give a "GRANT OPTION" on the virtual views
>
> GRANT SELECT ON v_$session TO PUBLIC WITH GRANT OPTION;
> GRANT SELECT ON v_$process TO PUBLIC WITH GRANT OPTION;
>
>
>4. Set grants only on the view for all your users
>
> GRANT SELECT,INSERT,UPDATE,DELETE ON view_name TO ......
>
>
>So they can update your database only in SQL*Forms (if it works on your
>system too ?).
>
> GOOD LUCK !!
>
>--
>
>--------------------------------------------------------------------------------
>Klaus-Michael Hatzinger hatzinger_m_at_bmwf1f.bmwf.gv.at
>Federal Ministry of Science and Research
>Computer Center
>Vienna, Austria
>
Received on Wed Aug 12 1992 - 18:13:00 CEST