I just read your other post. Since you're talking about an application that also does DDL, I would look at using schema level triggers - raise an application error if the program being used isn't the application. Honestly, though, if the purpose is troubleshooting the application, there shouldn't be any reason why you couldn't log them out immediately if they're not logging in via the application - and I'm a developer (most of the time)! -Jackie Jackie D. Brock Database Specialist - Systems Evaluation CableLabs(r) 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock@xxxxxxxxxxxxx <mailto:j.brock@xxxxxxxxxxxxx> 303-661-3347 ________________________________ From: Blanchard, William [mailto:wblanchard@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, January 07, 2010 1:45 PM To: Jackie Brock Cc: oracle-l@xxxxxxxxxxxxx Subject: RE: Privileges by session Do you have an example of changing the role for a session? WGB ________________________________ From: Jackie Brock [mailto:J.Brock@xxxxxxxxxxxxx] Sent: Thursday, January 07, 2010 2:43 PM To: Blanchard, William Cc: oracle-l@xxxxxxxxxxxxx Subject: RE: Privileges by session You could assign a read-only role based on the session info. :-) -Jackie Jackie D. Brock Database Specialist - Systems Evaluation CableLabs(r) 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock@xxxxxxxxxxxxx <mailto:j.brock@xxxxxxxxxxxxx> 303-661-3347 ________________________________ From: Blanchard, William [mailto:wblanchard@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, January 07, 2010 1:42 PM To: Jackie Brock Cc: oracle-l@xxxxxxxxxxxxx Subject: RE: Privileges by session I thought about just restricting to IP address and restricting logons via a trigger but I need to allow the developers read access for troubleshooting production issues. WGB ________________________________ From: Jackie Brock [mailto:J.Brock@xxxxxxxxxxxxx] Sent: Thursday, January 07, 2010 2:29 PM To: Blanchard, William Subject: RE: Privileges by session I've set up login triggers to prevent logins based on the OS username before - it worked very well, but it does assume that they aren't using a central account. I'm not sure you want to allow someone to log in to an application from a central account, anyway? You could also restrict based on IP - any of the information that's stored in the session variables. Heck - you could even restrict it based on the program being used - I've done that as well. :-) HTH! -Jackie Jackie D. Brock Database Specialist - Systems Evaluation CableLabs(r) 858 Coal Creek Circle Louisville, CO 80027 Email: j.brock@xxxxxxxxxxxxx <mailto:j.brock@xxxxxxxxxxxxx> 303-661-3347 ________________________________ From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Blanchard, William Sent: Thursday, January 07, 2010 1:22 PM To: oracle-l@xxxxxxxxxxxxx Subject: Privileges by session Greetings, I have convinced management to allow me to grant read-only access to the developers. The problem is that they know the application passwords and have been using those passwords to circumvent my controls. Is there a way via a trigger, role, etc to change individual sessions privileges so they have read only (select) permissions? The easiest way would be to change the permissions on the applications but that's not an option. Thank you, WGB - This email and any information, files, or materials transmitted with it are confidential and are solely for the use of the intended recipient. If you have received this email in error, please delete it and notify the sender.