With a simple <>, sure - it's all in how you write the trigger. I try to make it a bit more challenging... and it also helps include several other parameters, where appropriate. -Jackie Jackie D. Brock Database Specialist - Systems Evaluation CableLabs® 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock@xxxxxxxxxxxxx 303-661-3347 -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of D'Hooge Freek Sent: Wednesday, January 13, 2010 3:07 AM To: adar666@xxxxxxxxxxxx; jkstill@xxxxxxxxx Cc: wblanchard@xxxxxxxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx Subject: RE: Privileges by session Checking the name of the application is pointless as it is so easy to fool. You only need to change the name of the application: C:\>rename c:\oracle\product\10.2.0\client_1\BIN\sqlplus.exe sqlplus2.exe C:\>sqlplus2 sys@xxxxxxxxxxxxxxxxxxxxx as sysdba SQL*Plus: Release 10.2.0.1.0 - Production on Wed Jan 13 11:04:51 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production With the Partitioning and Data Mining options INSTANCE_NAME HOST_NAME STATUS ---------------- ------------------------------ ------------ GUNNAR dargo.farscape OPEN sys@GUNNAR> select program from v$session where sid = (select distinct sid from v$mystat); PROGRAM ------------------------------------------------ sqlplus2.exe regards, Freek D'Hooge Uptime Oracle Database Administrator email: freek.dhooge@xxxxxxxxx tel +32(0)3 451 23 82 http://www.uptime.be disclaimer: www.uptime.be/disclaimer ________________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Yechiel Adar Sent: dinsdag 12 januari 2010 18:40 To: jkstill@xxxxxxxxx Cc: wblanchard@xxxxxxxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx Subject: Re: Privileges by session Sure, but: 1) How many are worth employment? :-) 2) Adding check on the source, that should be production servers that the developers has no access to, will help. Adar Yechiel Rechovot, Israel Jared Still wrote: On Tue, Jan 12, 2010 at 4:54 AM, Yechiel Adar <adar666@xxxxxxxxxxxx> wrote: 2) Put in a login trigger that will fail all logon with the application user but with other programs like SQLPLUS or TOAD. Any developer worth employing can circumvent a trigger that checks executable names. Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist Oracle Blog: http://jkstill.blogspot.com Home Page: http://jaredstill.com -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l