Re: Database Security
Date: 10 Feb 95 06:34:28 EST
Message-ID: <1995Feb10.063429.3951_at_inet.d48.lilly.com>
In article <dongwei.15.00141AEE_at_creek.eel.ufl.edu> Yisheng,
dongwei_at_creek.eel.ufl.edu writes:
>I would like to discuss with anyone who has experience in Oracle
database
>security. Any suggestion is also appreciate. Right now we are facing a
very
>important issue in database developement. We use Oracle as our database
>server. In our application code we would like to have different roles
enabled
>at different time. To do this we create different roles and grant them
to all
>the users. By use: Alter User Default Role None, we disable all the
roles from
>all the users and use Set Role command in the application code to enable
>different role at different time. It looks fine at the first look.
However, if
>it happen that any of the users can get a chance to have a look of the
source
>code, he would be able to grant a role to himself by writing his own
>application code. It is really a big hole in the security of Oracle
database.
>We don't want the users to get any information from the application
code. But
>it looks like that Oracle can't do anything about it. I would like to
hear
>from you about this Security stuff in Oracle.
One major suggestion would be to protect the source code from the users.
We generally recommend the following to our application development people when they want to have application level security.
- Create a role with a password
- Grant the appropriate application security to the role
- Grant the role to the user
- We have a nightly job that runs that sets a user's default role to a list of their non-password protected roles. So, the role that was just created will not be enabled by default
- Determine how to let the application know the password, but not let the user know it. There are a couple of ways you can do this. Store the password in the program (make sure it can't be figured out if the user gets a hold of the executable). Store it in a database table in encrypted format. Store the encryption algorithm in the executable.
- Protect the source code from the user.
Hope this helps.
Bob Swisshelm | swisshelm_at_Lilly.com | 317 276 5472 Eli Lilly and Company | Lilly Corporate Center | Indianapolis, IN46285 Received on Fri Feb 10 1995 - 12:34:28 CET