Re: Role mechanism in distributed environment
Date: 1995/10/16
Message-ID: <45uii9$2rf_at_news.iis.com.br>#1/1
Gert Jan Willems <G.J.Willems_at_inter.NL.net> wrote:
>
>System : RS6000/AIX 3.2.5
>RDBMS : ORACLE7 Server 7.1.6.0
>
>We're running into security problems when using Oracle's role
>mechanism in a distributed environment with implicit logons (DB links
>in embedded SQL).
>
>Here is a description of our problem:
>
>User 'X' uses (public) synonyms and grants obtained through a role to
>access local database objects. His default role is merely a connect like
>role. In the application we use the 'set role' command -disabled
>in SQL*Plus through the product_profile table- to obain the privileges
>to access the objects. In the application we fetch the data from the remote
>Database through a DB-link, but -of course- this results in a ORA-00942
>because user 'X' has no default application role (on the remote DB) to access
>the objects and since the logon is implicit there is no room for a 'set role'
>command.
>
>We want to stick to the roles for obvious reasons but also need to solve
>this problem. Is there anyone out there who knows a solution?
>
>Another (hot) issue is security in Client/Server environments.
>In other words how do we prevent users -the nasty/clever ones!-, who
>are developing applications on their clients with products like SQL/Windows,
>Delphi etc. from connecting to our production databases.
>
>Thanks.
>
>Gert Jan Willems
>ABP - Holland
>G.J.Willems_at_inter.NL.net
>
As regards your first question, you should set roles in the remote
system(s) so that a remote user can have the privileges to access the
objects their applications need. As far as I know there's no other way to
do this.
Your second is far more complicated. Production users need access to production databases to run their applications. If they also develop their own programmes, using SQLWindows and similar products, I can't see any effective solution...
Best regards Received on Mon Oct 16 1995 - 00:00:00 CET