Re: Client application connects as schema owner - opinions please

On Mon, 22 Apr 2002 21:20:47 +0100, "Paul Brewer" <paul_at_paul.brewers.org.uk> wrote:

>Oracle 8.1.7EE on hp11
>(not that I think it's relevant in this case, but it's a good habit to quote
>version).
>
>I'd appreciate your thoughts: We are a DBA team in in a large project,
>multi-team environment.
>
>We have been supplied with a bespoke application developed by a software
>house, which we are expecting to put into production in about 6 months from
>now.
>
>One of the client-side executables is a 'Sys Admin' module, which we am
>told, 'must' connect as the schema owner (username and password are, we're
>told, hard coded in the app - this is, we feel, sub-optimal, to say the
>least).
>
>Until now, our general practice (we run many Oracle databases) has been to
>create an 'app-owner' user, and a number of 'app-user' type roles. We do
>*not* disclose the app-owner passwords to anyone outside the DBA group,
>either for development or production dbs.
>

<snip>

PMFJI, but it looks like your security scheme touches on something I've been struggleing with. My question is -- how do your developers and/or their applications connect to the database if only the DBAs know the app-owner password?

From day one we have had a management directive to not allow the developers access to the production databases, but the method we came up with is more eye-wash than real security.

--
Ed Stevens
(Opinions expressed do not necessarily represent those of my employer.)