Re: Different way of maintaining users?
- From: stephen booth <stephenbooth.uk@xxxxxxxxx>
- To: vsimmons@xxxxxxxxxxxxxxx
- Date: Sat, 15 Oct 2005 22:59:38 +0100
On 14/10/05, Vanessa A. Simmons <vsimmons@xxxxxxxxxxxxxxx> wrote:
>
> We are considering a change to the way our users access the database and our
> applications. We would like to make sure that users are getting to the data
> through the applications only and not using external tools (i.e. SQL*Plus)
> to access the database directly with the hopes that this will help us to
> further secure our databases.
One of the companies I used to work for wanted to do something similar
in a Forms app (forms 4.x IIRC). The way they did it was to not grant
the table access to the user but instead to a password protected role.
The role was granted to the user but not enabled., when the app
connected to the database it would enable the role and provide the
password (which was hard coded in the application) I guess that you
could store the password in an encrypted form in the database or an
external file so the application reads it in and decrypts it to use to
enable the role.
You'd have to have two users, one to own the schema that only the
administrators know the password for (apply the same levels of
security as you do for the system/sys accounts) and one that the
application uses to access the data.
SQL*Plus isn't your own (or probably even main) problem, there's a
certain level of barrier to entry to use it (you have to know SQL).
Applications like Access and Excel connecting over ODBC tend to be a
bigger problem, there's a lower barrier to entry.
Stephen
--
It's better to ask a silly question than to make a silly assumption.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
