Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Turkbear <john.g_at_dot.spamfree.com>
Date: Wed, 27 Oct 2004 12:33:03 -0500
Message-ID: <9umvn0lci664v6v82k01nifhh816aigi85@4ax.com>


premmehrotra_at_hotmail.com (Prem K Mehrotra) wrote:

>I am working on Sarbarbes Oxley compliance for Oracle databases
>version 8.1.6.2 on HP UNIX 11. We have a third party application
>which requires a login for each user in the database. Application
>security is controlled through the application, so users can do only
>certain things from the application user interface.
>
>Application is a Web based Oracle Forms 6i application which runs on
>a Windows Server, it then connects to database on HP UNIX.
>
>However, the problem is that if users can connect to database directly
>using sqlplus, there is no security built in the database to control
>what a user can do, they can delete all the data if they want. Since,
>it is a third party application, I cannot change their code.
>
>
>1. Since the database connection is made from windows Server to UNIX
>server and no
>end user has login on Windows Sever or NIX server, I was thinking of
>creating a logon trigger for every end user account and verifying that
>connection is made only from Forms server. This way, they cannot make
>direct connection from their PC. Does anyone see a problem with it?
>
>
>2. My auditors told me Oracle has some tool where some random
>characters are added to password, so user will not know these
>characters (so they cannot make direct connection?)/ I have not heard
>of anything like that until now. Does anyone have more information on
>it? Auditors said instead d of creating logon triggers, I can
>probably use this tool.
>
>Thanks a lot?
>
>Prem

Have all security permissions established by roles and only assign a user to a role inside the application..That way, if connected directly, the user would have no permissions to do any damage or access any sensitive tables.

Also, you might want to look at using the disabling options in the Product User Profile Table:

http://download-west.oracle.com/docs/cd/B10501_01/server.920/a90842/ch10.htm#1005648

hth, Received on Wed Oct 27 2004 - 12:33:03 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US