Re: HELP: System Password problem

In article <2ump92$ik2_at_vega.info.isbiel.ch>, mta_at_venus.info.isbiel.ch (Alfred Martin) writes:
> I need to make it possible for an ordinary unix user to
> create / delete an oracle user account.
>
> The (unix-)user will have to supply the desired name and password
> for the new oracle-account, and then be able to create the account.
>
> Writing an ordinary shell-script, connecting as system/password and
> doing the job is not possible for security reasons. Also, giving each
> user the right to create / delete oracle-accounts is not desired,
> because I'd prefer them to be able to do it only from within a
> special program. Finally, setting the script set-uid to "oracle" and
> calling an "oracle"-read-only filescript is not desirable for security
> reasons, either.
>
> Is there any other way I can do it???
> PLEASE ölet me know if you have a good idea...
>
> --
> Alfred Martin
> (martin_at_info.isbiel.ch)

Assuming that you are working with ORACLE7, you could do something like this:

1. Create a role (we call it APPL_ADMIN), with a password (create role appl_admin identified by xxxx)
2. Grant the role CREATE USER.
3. Grant the role any roles that the accounts to be created will need. Be sure to grant the roles WITH ADMIN OPTION.
4. Grant the appl_admin role to the users that need this privilege.
5. Alter those users so that their default role list does not include appl_admin. alter user fred default role role1, role2;
6. Write a program etc., that enables the role for the user, performs the create user command, and grants the initial roles. The program needs to know the password for the appl_admin role, but the user does not.

-- 
Bob Swisshelm                | swisshelm_at_Lilly.com     | 317 276 5472
Eli Lilly and Company        | Lilly Corporate Center  | Indianapolis, IN 46285