OraFAQ Forum: Security » logon trigger cannot prevent DBA account from logging in database

Home » RDBMS Server » Security » logon trigger cannot prevent DBA account from logging in database

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

logon trigger cannot prevent DBA account from logging in database [message #165966]

Mon, 03 April 2006 14:31

Lijie_Tu
Messages: 6
Registered: April 2006

Junior Member

Hi all,
I want to prevent certain OS users from logging in database using certain DB accounts (say: ORAUSR1). The following code works only if ORAUSR1 is NOT a DBA account. Can anybody please help?

CREATE OR REPLACE TRIGGER logonauditing AFTER LOGON ON database
DECLARE
machinename VARCHAR2(64);
osuserid VARCHAR2(30);
v_sid NUMBER(10);
v_serial NUMBER(10);
v_killsession varchar2(500);
CURSOR c1 IS
SELECT sid, serial#, osuser, machine
FROM v$session WHERE audsid = userenv('sessionid');
BEGIN
OPEN c1;
FETCH c1 INTO v_sid, v_serial, osuserid, machinename;
if upper(user) in ('ORAUSER1','ORAUSER2') and osuserid not in ('OSUSER1','OSUSER2') then
v_killsession := 'alter system kill session ' ||''''|| v_sid ||','|| v_serial ||'''';
execute immediate v_killsession;
-- same if I try "raise_application_error( ....)"
END IF;
END;

Report message to a moderator

Re: logon trigger cannot prevent DBA account from logging in database [message #166044 is a reply to message #165966]

Tue, 04 April 2006 04:20

Maaher
Messages: 7065
Registered: December 2001

Senior Member

No, you cannot prevent DBA's from connecting to their database and I don't see the point of preventing that. Just revoke the DBA from the users you don't want to be a DBA.

MHE

Report message to a moderator

Re: logon trigger cannot prevent DBA account from logging in database [message #166106 is a reply to message #166044]

Tue, 04 April 2006 09:40

Lijie_Tu
Messages: 6
Registered: April 2006

Junior Member

I'm not talking about sys or system accounts. The database owner of our ERP system is granted a DBA role,its password is well known and hard-coded in many applications. Changing password is not advisable, so an alternative is to allow only certain OS users to use it.

Report message to a moderator

Re: logon trigger cannot prevent DBA account from logging in database [message #166116 is a reply to message #166106]

Tue, 04 April 2006 10:10

Maaher
Messages: 7065
Registered: December 2001

Senior Member

Let's continue in your other thread.

Topic Closed

MHE

Report message to a moderator

Previous Topic:	forget my sys password
Next Topic:	Trigger to prevent any user to login

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Wed Dec 11 19:52:14 CST 2024