| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: What's the password for a role
Terry Dykstra wrote:
>
> It's definitely reason 1 for me. If Oracle is so secure, how come I can
> view passwords used in database links?
>
> --
> Terry Dykstra
> Canadian Forest Oil Ltd.
Because - by default - a user should not be allowed access to the DBA
views.
If you grant "SELECT ANY TABLE" - you have constructed an insecure
access policy.
If you're still going to grant users "SELECT ANY TABLE" - how about creating a view for the DBA_DB_LINKS that does not have the password - and place a private synonymn in each users schema when the account is created. Of course, if they really know what they are doing - they can still access the view owned by sys directly - but that is not as likely.
Agreed that the DBA has to lock down the database as soon as it is
created.
But - when the DBA (or others) create user accounts - they assume the
responsibility for maintaining security - as they have granted the
sys_privs and roles that allow users to connect to the database.
Build profiles - and permit users only to use certain executables to
access the database.
use logon triggers to determine what username, terminal, osuser, program
is connecting.
user fine-grained auditing to report on sensitive data being accessed
(such as passwords on db_links).
Then get users locked out of the system - or fired.
See, security can be fun. You just can't be lazy about it.
If a firewall has no access control list, is it still a firewall?
Paul
> "Daniel A. Morgan" <Daniel.Morgan_at_attws.com> wrote in message
> news:3B2A55F5.AAAB34A9_at_attws.com...
> > Terry Dykstra wrote:
> >
> > > I need to determine the password for a role. What sys table has that
info?
> > >
> > > --
> > > Terry Dykstra
> > > Canadian Forest Oil Ltd.
> >
> > None.
> >
> > Oracle, unlike some products, is secure.
> >
> > There are two possiblities here.
> > 1. You have reason to have it in which case you have authority to reset
it. Do
> > so.
> > 2. You do not have reason to have it ... you are out of luck
> >
> > Daniel A. Morgan
> >
Received on Sat Jun 16 2001 - 01:49:12 CDT
 |
 |