Re: HELP: System Password problem
Date: 6 Jul 94 20:59:07 EST
Message-ID: <1994Jul6.205907.1_at_corp02.d51.lilly.com>
In article <2ump92$ik2_at_vega.info.isbiel.ch>, mta_at_venus.info.isbiel.ch (Alfred Martin) writes:
> I need to make it possible for an ordinary unix user to
> create / delete an oracle user account.
>
> The (unix-)user will have to supply the desired name and password
> for the new oracle-account, and then be able to create the account.
>
> Writing an ordinary shell-script, connecting as system/password and
> doing the job is not possible for security reasons. Also, giving each
> user the right to create / delete oracle-accounts is not desired,
> because I'd prefer them to be able to do it only from within a
> special program. Finally, setting the script set-uid to "oracle" and
> calling an "oracle"-read-only filescript is not desirable for security
> reasons, either.
>
> Is there any other way I can do it???
> PLEASE ölet me know if you have a good idea...
>
> --
> Alfred Martin
> (martin_at_info.isbiel.ch)
Assuming that you are working with ORACLE7, you could do something like this:
- Create a role (we call it APPL_ADMIN), with a password (create role appl_admin identified by xxxx)
- Grant the role CREATE USER.
- Grant the role any roles that the accounts to be created will need. Be sure to grant the roles WITH ADMIN OPTION.
- Grant the appl_admin role to the users that need this privilege.
- Alter those users so that their default role list does not include appl_admin. alter user fred default role role1, role2;
- Write a program etc., that enables the role for the user, performs the create user command, and grants the initial roles. The program needs to know the password for the appl_admin role, but the user does not.
-- Bob Swisshelm | swisshelm_at_Lilly.com | 317 276 5472 Eli Lilly and Company | Lilly Corporate Center | Indianapolis, IN 46285Received on Thu Jul 07 1994 - 03:59:07 CEST