RE: ODBC and database security

• From: "Hostetter, Jay M" <JHostetter@xxxxxxxxxxxxxxxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Fri, 3 Dec 2004 13:39:55 -0500

=20
One other thing - you don't want the users to actually modify data
outside of the application.  In our homegrown databases and
applications, our database roles are separated into roles with only
SELECT rights and roles with UPDATE/INSERT/DELETE rights on tables.
Users have the select roles as their default roles.  The other roles may
be granted to the users, but not as default roles.  When the users log
in through the application, the app issues a SET ROLE ALL command, which
will allow the users to modify data as needed, based on their roles.  If
they access the database through another tool (SQL*Plus, MS Access,
Excel, etc.) the can only SELECT data (unless they found this post and
figure out how to issue the correct command to enable the other roles).


Jay

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of
Kip.Bryant@xxxxxxxxxx
Sent: Friday, December 03, 2004 12:54 PM
To: Meenakshi.Aggarwal@xxxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: ODBC and database security

IMHO the real security issue is with the oracle client install.  Sorry
if the following is too obvious...  You need to be certain that the DBA
utilities are never installed and that the sqlnet config can't be
changed so as to avoid system probing.  And everyone has changed all
default passwords, right?  ;-) Then the remaining issue would be account
administration...what your password controls are...(length, content,
expiration, sharing of accounts...).

Kip

|Hi All,

|Can anybody share what are database security issues when using ODBC=20
|(set up on client PCs).

|Thanks

|--
|http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l





**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the =
use of the individual or entity to which they are addressed and may contain=
 information that is privileged, proprietary and confidential. If you are n=
ot the intended recipient, you may not use, copy or disclose to anyone the =
message or any information contained in the message. If you have received t=
his communication in error, please notify the sender and delete this e-mail=
 message. The contents do not represent the opinion of D&E except to the ex=
tent that it relates to their official business.
--
http://www.freelists.org/webpage/oracle-l

• » ODBC and database security
• » RE: ODBC and database security
• » RE: ODBC and database security
• » Re: ODBC and database security
• » RE: ODBC and database security
• » RE: ODBC and database security
• » RE: ODBC and database security

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription