Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password

Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Thu, 28 Oct 2004 06:31:27 +1000
Message-Id: <4180058e$0$32547$afc38c87@news.optusnet.com.au> 





Alan wrote:



> 


>> > Have all security permissions established by roles  and only assign a




> user


>> > to a role inside the application.
>>
>>
>> Just out of interest, and ignoring for the moment that it is roles that




> are


>> granted to a user and not the other way around: how do you propose this
>> should work? You mean the application grants roles on log on? And then
>> presumably it revokes roles on log-off? And if the user crashes out and
>> doesn't log off cleanly??
>>
>> Of course, you have to do the revoking bit, because otherwise your user
>> would continue to possess the security rights associated with the role,




> and


>> could therefore exercise them by hacking into the back-end directly.
>>
>> And how would the application know what role to grant to which user? Are




> you


>> proposing to duplicate the database's entire set of user-role grants at




> the


>> application level?
>>
>> HJR




> 

> We handle this by having the app log on using a "secret" ID and password

> known only to the app. We have a user table that contains their

> application IDs and passwords (and application roles) that is in the

> schema of the "secret" ID. Only those who know the "secret" ID and

> password (developers and DBAs) can actually look at it. The app prompts

> the user for their application-based ID and password. The app can then

> authenticate them and determne what they can do based on their app "role".

> No, it's not very scalable, but this is a fairly well-defined and bounded

> app.




Scalability is just one concern. What happens if the secret ID and password
ever get discovered?



> And, yes, this allows the _developers_ to "administer" data security, 

> but in this particular situation, that's the way we want it.




Whatever suits you, I guess. But it doesn't sound to me like that would suit
the original poster.



Regards


HJR

Received on Wed Oct 27 2004 - 15:31:27 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US