Couldn't agree more, but I've also inherited a similar situation; short-term solution was a logon trigger but not logon on database but logon on schema. Something like this worked for us : create or replace trigger sys.blablabla after logon on "ORAUSER1".schema declare os_user varchar2(30); begin select sys_context('USERENV','OS_USER') into os_user from dual; if upper(os_user) not in ('OSUSER1', 'OSUSER1') then raise_application_error(-20001, 'blablabla'); end if; end; mvg/regards Jo "Jared Still" <jkstill@xxxxxxxx m> To Sent by: Lijie.Tu@xxxxxxxxxxxxx oracle-l-bounce@f cc reelists.org "David Sharples" <davidsharples@xxxxxxxxx>, oracle-l@xxxxxxxxxxxxx 05-04-06 02:34 Subject Re: logon trigger cannot prevent DBA account from logging in data ba Please respond to se jkstill@xxxxxxxxx Create a new role for the user, similar to the DBA role if that is what it requires. Exclude the ADMINSTER DATABASE TRIGGER privilege from the role, revoke DBA from the user and grant the new role to the user. Any user with the ADMINSTER DATABASE TRIGGER either directly or indirectly through a role cannot be prevented from logging in through the use of a trigger. Jared Still Certifiable Oracle DBA and Part Time Perl Evangelist On 4/4/06, TU Lijie <Lijie.Tu@xxxxxxxxxxxxx> wrote: Well, in that case, Oracle should only prevent the logon trigger from killing sys/system session, while still allow the killing of other sessions. Anyway, logon trigger does not seem to get what I want, just wondering if there is a workaround to this. -----Original Message----- From: David Sharples [mailto:davidsharples@xxxxxxxxx] Sent: Tuesday, April 04, 2006 12:42 PM To: Lijie.Tu@xxxxxxxxxxxxx Cc: oracle-l@xxxxxxxxxxxxx Subject: Re: logon trigger cannot prevent DBA account from logging in databa se you cant stop dba accounts from logging into the database. The reason being is that if you wrote a login trigger that didnt work then no-one -- //www.freelists.org/webpage/oracle-l