Xref: alice comp.databases.oracle.server:76048 Path: alice!news-feed.fnsi.net!hammer.uoregon.edu!logbridge.uoregon.edu!newsfeed.stanford.edu!paloalto-snf1.gtei.net!news.gtei.net!inet16.us.oracle.com!not-for-mail From: Rick Wessman Newsgroups: comp.databases.oracle.server Subject: Re: Security Question-Reposted Date: 30 Nov 1999 11:43:20 -0500 Organization: Oracle Corporation, Redwood Shores, CA Lines: 64 Message-ID: References: <38322E77.C277E141@synergy-infotech.com> <3837C9A8.82C19284@synergy-infotech.com> <38397417.5418001@read.news.globalnet.co.uk> <943347515.24183.0.nnrp-07.9e984b29@news.demon.co.uk> X-Trace: inet16.us.oracle.com 943980298 7730 138.2.146.58 (30 Nov 1999 16:44:58 GMT) X-Complaints-To: usenet@inet16.us.oracle.com NNTP-Posting-Date: 30 Nov 1999 16:44:58 GMT X-Newsreader: Gnus v5.6.45/XEmacs 21.2 - "Shinjuku" In addition, you can create the user with a password that is unknown to the user. That way, the user can only connect through the application. As to the documentation about the feature, I agree that it is definitely incomplete. It slipped by me in 8.1.5. We have documented it much more thoroughly in 8.1.6. For the moment, Tom Kyte's web site has a white paper that describes how to use the feature. Rick "Jonathan Lewis" writes: > There is an option in OCI in 8.1, although > the documentation is far from complete. > > You can: > alter user grant connect through {proxy id} with role {list of roles} > > This means that your OCI application can connect > to the database using a hard-coded user id / password > (the proxy id) which has no privileges other than a basic > CREATE SESSION, but be allowed though to act as > another ID without supplying that IDs password. > > In this way, you can changed the real password as > often as you like. The system can only be subverted > by someone who - finds the proxy id and password > from the executable, and then writes their own OCI > program. > > > -- > > Jonathan Lewis > Yet another Oracle-related web site: http://www.jlcomp.demon.co.uk > > Keith Boulton wrote in message > <38397417.5418001@read.news.globalnet.co.uk>... > >On Sun, 21 Nov 1999 16:00:00 +0530, Anurag Minocha > > wrote: > > > >>> The application always connects to the same user/schema eg: r2 . I want > >>> that users should not be able to connect to r2 schema in any way other > >>> than our application even though they know the password. i.e I want to > >>> prevent access from sql*plus, crystal reports, etc etc. > > > >You cannot. What is sometimes done to reduce the risk of problems is > >to grant access to a non-default database role with a password so that > >the role is enabled by your application e.g.: > > > -- Rick Wessman Security and Directory Technologies Server Technologies Oracle Corporation rwessman@us.oracle.com The statements and opinions expressed here are my own and do not necessarily represent those of Oracle Corporation.