RE: Privileges by session

From: "Jackie Brock" <J.Brock@xxxxxxxxxxxxx>
To: "Blanchard, William" <wblanchard@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 7 Jan 2010 14:10:02 -0700

I just read your other post.  Since you're talking about an application
that also does DDL, I would look at using schema level triggers - raise
an application error if the program being used isn't the application.
 
Honestly, though, if the purpose is troubleshooting the application,
there shouldn't be any reason why you couldn't log them out immediately
if they're not logging in via the application - and I'm a developer
(most of the time)!
 
-Jackie
 
Jackie D. Brock
Database Specialist - Systems Evaluation
CableLabs(r)
858 Coal Creek Circle
Louisville, CO 80027
Email: j.brock@xxxxxxxxxxxxx <mailto:j.brock@xxxxxxxxxxxxx> 
303-661-3347
 


________________________________

        From: Blanchard, William
[mailto:wblanchard@xxxxxxxxxxxxxxxxxxxx] 
        Sent: Thursday, January 07, 2010 1:45 PM
        To: Jackie Brock
        Cc: oracle-l@xxxxxxxxxxxxx
        Subject: RE: Privileges by session
        
        
        Do you have an example of changing the role for a session?
         
         
        WGB
         

________________________________

        From: Jackie Brock [mailto:J.Brock@xxxxxxxxxxxxx] 
        Sent: Thursday, January 07, 2010 2:43 PM
        To: Blanchard, William
        Cc: oracle-l@xxxxxxxxxxxxx
        Subject: RE: Privileges by session
        
        
        You could assign a read-only role based on the session info.
:-)
         
        -Jackie
         
        Jackie D. Brock
        Database Specialist - Systems Evaluation
        CableLabs(r)
        858 Coal Creek Circle
        Louisville, CO 80027
        Email: j.brock@xxxxxxxxxxxxx <mailto:j.brock@xxxxxxxxxxxxx> 
        303-661-3347
         


________________________________

                From: Blanchard, William
[mailto:wblanchard@xxxxxxxxxxxxxxxxxxxx] 
                Sent: Thursday, January 07, 2010 1:42 PM
                To: Jackie Brock
                Cc: oracle-l@xxxxxxxxxxxxx
                Subject: RE: Privileges by session
                
                
                I thought about just restricting to IP address and
restricting logons via a trigger but I need to allow the developers read
access for troubleshooting production issues.
                 
                 
                WGB

________________________________

                From: Jackie Brock [mailto:J.Brock@xxxxxxxxxxxxx] 
                Sent: Thursday, January 07, 2010 2:29 PM
                To: Blanchard, William
                Subject: RE: Privileges by session
                
                
                I've set up login triggers to prevent logins based on
the OS username before - it worked very well, but it does assume that
they aren't using a central account.  I'm not sure you want to allow
someone to log in to an application from a central account, anyway?  You
could also restrict based on IP - any of the information that's stored
in the session variables.  Heck - you could even restrict it based on
the program being used - I've done that as well.  :-)
                 
                HTH!
                 
                -Jackie
                 
                Jackie D. Brock
                Database Specialist - Systems Evaluation
                CableLabs(r)
                858 Coal Creek Circle
                Louisville, CO 80027
                Email: j.brock@xxxxxxxxxxxxx
<mailto:j.brock@xxxxxxxxxxxxx> 
                303-661-3347
                 


________________________________

                        From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Blanchard, William
                        Sent: Thursday, January 07, 2010 1:22 PM
                        To: oracle-l@xxxxxxxxxxxxx
                        Subject: Privileges by session
                        
                        

                        Greetings, 

                        I have convinced management to allow me to grant
read-only access to the developers.  The problem is that they know the
application passwords and have been using those passwords to circumvent
my controls.  Is there a way via a trigger, role, etc to change
individual sessions privileges so they have read only (select)
permissions?  The easiest way would be to change the permissions on the
applications but that's not an option.

                        Thank you, 

                        WGB 

                        -
                        
                        This email and any information, files, or
materials transmitted with it
                        are confidential and are solely for the use of
the intended recipient.
                        If you have received this email in error, please
delete it and notify
                        the sender.

Follow-Ups:
- RE: Privileges by session
  - From: Blanchard, William

References:
- Privileges by session
  - From: Blanchard, William
- RE: Privileges by session
  - From: Blanchard, William
- RE: Privileges by session
  - From: Jackie Brock
- RE: Privileges by session
  - From: Blanchard, William

RE: Privileges by session

Other related posts: