Re: does "identified externally" work?

kresko_at_krypton.sao.nrc.ca (Greg Kresko) wrote:
>Regarding my mention of "default roles", I was referring to the sections
>in the manuals titled "Using Operating System Role Identification".
>There are no concrete examples given, but I figured it out.
>In file configsid.ora, place the line "os_roles = true" (this gives role
>authorization to the operating system). To give user "x" the "connect"
>role when starting an oracle session, place the line
>"ora_sid_connect_d::111:x" in file /etc/group. (I used an unassigned
>groupid.) This works. While interesting, I can't see giving anyone
>the privilege of modifying /etc/group for the purpose of administering
>roles. I don't think I will be using this. (Can anyone give a good
>reason for doing this instead of using Oracle to grant roles?)

I think the idea is to give installations the choice of having someone besides a DBA -- namely the person(s) already responsible for system access privs -- handle Oracle access controls as well, without having to learn Oracle. Not sure about UNIX, but in the mainframe world you will find people with titles like "security officer" whose main responsibilities are the care and feeding of system access controls. Oracle on MVS lets you derive a user's roles from standard MVS security products such as RACF when using os_roles=true.

/b

--
Bill Manry - Mainframe & Integration Technologies - Oracle Corp. USA
The above statements and opinions are my own and do not
necessarily represent those of Oracle Corporation.