Re: Database Security
Date: 10 Feb 1995 18:37:21 GMT
Message-ID: <3hgbp1$2uc_at_tpd.dsccc.com>
Yisheng (dongwei_at_creek.eel.ufl.edu) wrote:
: I would like to discuss with anyone who has experience in Oracle database
: security. Any suggestion is also appreciate. Right now we are facing a very
: important issue in database developement. We use Oracle as our database
: server. In our application code we would like to have different roles enabled
: at different time. To do this we create different roles and grant them to all
: the users. By use: Alter User Default Role None, we disable all the roles from
: all the users and use Set Role command in the application code to enable
: different role at different time. It looks fine at the first look. However, if
: it happen that any of the users can get a chance to have a look of the source
: code, he would be able to grant a role to himself by writing his own
: application code. It is really a big hole in the security of Oracle database.
: We don't want the users to get any information from the application code. But
: it looks like that Oracle can't do anything about it. I would like to hear
: from you about this Security stuff in Oracle.
: Brant
: My E-Mail: dongwei_at_creek.eel.ufl.edu
I do not completly understand how your code works. From what you said it would seem that as a user I could run your application under my oracle id, the app would grant a role which gives me update privs to data, while I was on the screen during update I could login again via another window and my oracle account would be running with the role with update priv.
If your app covers this then, it seems strong enough.
-- I speak for me, not the company I work for.Received on Fri Feb 10 1995 - 19:37:21 CET