RE: Prevent certain users logging on during specific hours
- From: "Mark W. Farnham" <mwf@xxxxxxxx>
- To: <John.Hallas@xxxxxxxxxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 23 Apr 2014 08:40:17 -0400
If you want to minimize the load on your database system, route access
through a screen or form (such that access to the actual applications
programs and tools like sqlplus is only reachable through the form.)
When it is outside access hours, a version of the form that displays a
useful message is displayed instead of the access menu. No interaction with
the machine except the display and an exit is required. This can be
arbitrarily simple or complex depending on your requirements. Once such a
system is in place it also becomes routine to put up a status message for
unexpected maintenance windows and save few billion phone calls. When the
system is available, you then move on to user validation. So if someone
tries to gain access via a different access screen, they will get rejected
anyway.
mwf
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of John Hallas
Sent: Wednesday, April 23, 2014 2:43 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Prevent certain users logging on during specific hours
We have a requirement to prevent database logons by specific users (who can
be identified because they have a particular role) during certain times and
I am thinking of options and looking for any other thoughts on the best
approach. These are some of my thoughts
Resource manager - put the users into a resource group and schedule that
group to limit access appropriately - I have not tested this to see if it is
possible but if you can give it zero CPU quota it might be possible - does
seem a lot of effort though and my experience of RM is that it does need a
lot of tweaking/maintenance
Logon trigger - simple to implement - just needs a bit of work around
matching current time with allowed hours - but it will run against every
login and that is a big overhead on a busy system
OEM job (or dbms scheduler) to revoke create session from role - thinking
about it I think the scheduler job which is local on the database is safer.
It would need to do some form of 'alter user revoke role' command but that
should all work. The user does not get a good message back though which is a
bit of a problem with 2 of the solutions but the login trigger could have a
message output to the user
Any other suggestions please
Thanks John
www.jhdba.wordpress.com
DBA Team Leader
Wm Morrison Supermarkets PLC
Tel 0845 611 4589 Mob: 07876 790540
E-mail: john.hallas@xxxxxxxxxxxxxxxxxx
______________________________________________________________________
Wm Morrison Supermarkets Plc is registered in England with number 358949.
The registered office of the company is situated at Gain Lane, Bradford,
West Yorkshire BD3 7DL. This email and any attachments are intended for the
addressee(s) only and may be confidential.
If you are not the intended recipient, please inform the sender by replying
to the email that you have received in error and then destroy the email.
If you are not the intended recipient, you must not use, disclose, copy or
rely on the email or its attachments in any way.
This email does not constitute a contract in writing for the purposes of the
Law of Property (Miscellaneous Provisions) Act 1989.
Our Standard Terms and Conditions of Purchase, as may be amended from time
to time, apply to any contract that we enter into. The current version of
our Standard Terms and Conditions of Purchase is available at:
http://www.morrisons.co.uk/gscop
Although we have taken steps to ensure the email and its attachments are
virus-free, we cannot guarantee this or accept any responsibility,
and it is the responsibility of recipients to carry out their own virus
checks.
______________________________________________________________________
Other related posts: