RE: ODCB security

  • From: "Brady, Mark" <Mark.Brady@xxxxxxxxxxxxxxxxx>
  • To: <Randy.Steiner@xxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 13 Jun 2007 14:25:09 -0400

You're only worried about ODBC? What about OCI or OO4O? Is it OK if they
connect like that? I think you'll find why putting Security and Business
logic in the database is so often the recommendation of ... well, people
on this list. A valid account should only be allowed to perform valid
actions independent of the tool used to format the request to the
database.

 

I guess you could separate your accounts. Give the users a different
username and password for the application which in turn logs them into
the database with the username the database is expecting. That way they
have no way to login to the database at all and yet they will still have
their own user on the database side ( I assume this is client-server
that needs individual accounts and not n-tier that would just connect to
the db in a pool with a service account)

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Steiner, Randy
Sent: Tuesday, June 12, 2007 12:33 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: ODCB security

 

Our app connects to the 10gr2 db via oledb.  My manager wants to ensure
that users, with valid accounts, cannot connect to the db via odbc with
stuff like Access or Excel.  I know I can put a logon trigger to look
for the name of the app and refuse connection. But is there a better
way?  I am afraid the logon trigger is too easy to beat.

 

Thanks

Randy

 

>>> This e-mail and any attachments are confidential, may contain legal, 
>>> professional or other privileged information, and are intended solely for 
>>> the addressee.  If you are not the intended recipient, do not use the 
>>> information in this e-mail in any way, delete this e-mail and notify the 
>>> sender. CEG-IP1

Other related posts: