Looks like one of those great DB designs where all constraints are enforced on the application side ... Different random thoughts : * What does V$SESSION show in program and (I'm a dreamer and an optimist) ACTION/MODULE/CLIENT_INFO when using your 3rd party application? If it's 'jdbc 1.0' and NULL everywhere, no hope. Otherwise it may help you identify whether you are indeed connected as you should or not (not in a logon triggerunfortunately, since it fires before any call to DBMS_APPLICATION_INFO). You can create a trigger on each and every table (realistic ?) which fails when not connected through the application. * Which brings the second remark; why do you say that setting FGAC everywhereis not realistic? You can probably generate the code required pretty easily through SQL*Plus. Ditto for the triggers mentioned above. HTH, Stephane Faroult RoughSea Ltd http://www.roughsea.com On Tue, 02 Nov 2004 08:23 , 'Jeffrey Beckstrom' <JBECKSTROM@xxxxxxxxx> sent: Since I can not disable a role through a logon database trigger, I am seeking help in how to prevent a user from updating tables outside of the third-party application. The user is granted a role which permits update. I can not password protect the role since it is used by the third party application. What are some options. Fine grained access control is not realistic since would have to set it up on every table in the system. Jeffrey Beckstrom Database Administrator Greater Cleveland Regional Transit Authority 1240 W. 6th Street Cleveland, Ohio 44113 -- //www.freelists.org/webpage/oracle-l[1] --- Links --- 1 modules/refer.pl?redirect=http%3A%2F%2Fwww.freelists.org%2Fwebpage%2Foracle-l -- //www.freelists.org/webpage/oracle-l