Re: Oracle Security

smorrow_at_dotrisc.cfr.usf.edu (Steve Morrow) wrote:
>Greetings All,
>
>We want to ensure that our users access a database thru a particular application,
>and not thru SQL*PLUS, or some other Oracle or 3rd party reporting tool or
>database residing on another host. Users will be restricted from the UNIX
>command line, and thus won't be able to execute commands.
>
>I understand that the PRODUCT_USER_PROFILE table will allow you to 'disable'
>what user's can do within SQL*PLUS, but can other tools be specified? And
>moreover, is there a way of restricting access from other programs/DBs/tools?
>Does SQL*NET have such a capability to filter out users NOT coming in thru
>this application?
>
>Any answers and/or comments are appreciated!

The PRODUCT_USER_PROFILE is useful, but is not effective for anything except Sql*Plus and the other tools that use this table. If your users have got a valid account and password, and can get at Sql*Net via ODBC or similar, your system is wide open.

The best way to implement security in this case is to use database roles with password protection. The access security the users require is granted to the role, then your application front end enables the role with 'SET ROLE XXX IDENTIFIED BY YYY', which is coded into it and hidden from the users. If the users try and get in by an unauthorised route, they will only have minimal access (if any) without setting the role.

The other way to do it is to code up your application so that the users never even know they have got an oracle account, they connect to it via some sort of internal security mechanism, and the application makes the connection to oracle with accounts that the users do not see. You would need to code up your own username/password system in this case.

Cheers.
Martin.   Received on Mon Jul 17 1995 - 00:00:00 CEST