Re: Keeping users out ...

From: Michael Russell <mrussell_at_beeb.net>
Date: 5 Mar 2002 02:28:17 -0800
Message-ID: <c69419da.0203050228.260b8e69_at_posting.google.com>


Thanks for the reply, Ruud.

I like the idea of control of access being through accounts because we can trace/audit the action of that individual account and we can use the database-server's security scheme. I also like the idea of
'phantom/temporary' accounts because it keeps the view of security
simple, when it's up for discussion/debate. Partly, I'm trying to protect the data and performance from the users and partly I desire a 'defensive' security-scheme because I'm looking to be able to demonstrate that security breaches probably came from a user-required/employed dba-person (i.e. the customer has insisted on having one of their people installed with full dba rights), not from a
'weak/optimistic' implementation by the software guys -- meaning 'us'.

Of course, it's a bit complicated and has its own problems, including cleaning out old phantom accounts left around after broken connections.

Incidentally, I've just learnt we have to impose a 'hierarchical' security scheme, as well: Big Boss sees everything; littler boss sees less, workers see least. Imagine a mountain: Big Boss at the top can look down; littler boss at 80percent altitude can only look down on 80 percent, not up ... you get the picture. This could be 'interesting' ...... (yes, you've guessed it ... it's salary-related data)

Regards

Michael
Ruud de Koter <ruud_dekoter_at_hp.com> wrote in message news:<3C834782.29A2D163_at_hp.com>...  

 If I follow you this far, I see an easier solution in the definition of a single
 database account for the application. This account can do anything, at least on
 its own tables, but it might even be a DBA-account. Application users would not
 get a database account.  

 Application users would simply connect to the application, where an  authorisation structure is in place for them (that would be the basis for the DB
 account, in your plan). In my plan this authorisation structure would be used to
 autorise database actions, instead of creating the additional accounts.  

 Unless I am missing something, this seems a lot easier to me...  

 Regards,  

 Ruud. Received on Tue Mar 05 2002 - 11:28:17 CET

Original text of this message