Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Set role command - security problem

Re: Set role command - security problem

From: Neil Greene <ngreene_at_dev.null>
Date: 1997/11/24
Message-ID: <MPG.ee3a61028b64fa0989680@shlnews.SHL.com>#1/1 







[This followup was posted to comp.databases.oracle.server and a copy was sent 
to the cited author.]



Steven Deneir wrote....


> Hello,

> 

> I have a little problem with my security.

> I created a user with 2 roles, one default, the other is automatically

> activated when a certain application is launched. Until there no problem,

> the problem begins when the user launches SQL or ODBC. When he uses the

> command set role, he is able to activate the 2nd role himself. This is

> highly undesired.

> 

> So now, my question, is there an option that prevents that a user can

> activate a role with the set role command via odbc or in sql?

> 

> Thanks in advance everybody

> Please send a cc to StevenDeneir_at_writeme.com




Set a password on the role.  You will have to embed this password in the 
application and set up some procedures so that when/if you change the password 
you can also change the password setting in the application and redistribute.   
Just realize you will not want users knowing how to get to this password in 
the code, since they will then be able to access the role from sql again.  





-- 
Neil Greene			Senior System Engineer / Oracle DBA	
MCI Systemhouse, Inc. 		

Email:		<mailto:ngreene_at_laoc.SHL.com>			
Pager Email:	4112636_at_PageMCI.com		Pager:	800-411-2636


Received on Mon Nov 24 1997 - 00:00:00 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US