| Authenticating Oracle User based on Windows User Id [message #498888] |
Fri, 11 March 2011 14:19  |
infinitenumbers
Messages: 33
Registered: November 2010
|
Member |
|
|
Hi Guys,
We are trying to implement the following security to our database.
As of now, the access rights are same for all the windows users logging into the Oracle application with the same Oracle user Id.
But now, we want to improve our security by granting different levels of rights to the users based on their Network Id even though they use the same Oracle User Id to log into the application.
We are not looking for the users to be identified externally. (CREATE USER "OPS$ORACLE-BASE.COM\TIM_HALL" IDENTIFIED EXTERNALLY;
GRANT CONNECT TO "OPS$ORACLE-BASE.COM\TIM_HALL";
)
Please suggest what should be followed to implement this kind of security.
Thank you very much for your time.
[Updated on: Fri, 11 March 2011 14:24] Report message to a moderator |
|
|
|
|
|
| Re: Authenticating Oracle User based on Windows User Id [message #498894 is a reply to message #498888] |
Fri, 11 March 2011 15:00  |
 |
Michel Cadot
Messages: 68729
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
1/ NEVER ever use remote OS identification otherwise anyone can connect to your database.
2/ If you want to have different privileges depending on parameters (IP, time or any other) then use Secure Application Roles; these are roles that can only be activated calling a package (associated to the roles). So once the user is connected (you just give him the CREATE SESSION privilege), he calls a procedure and this procedure activates the role(s) depending on the user and associated parameters.
3/ Never use Oracle predefined roles (like CONNECT), they are for Oracle ONLY.
Regards
Michel
[Updated on: Fri, 11 March 2011 15:00] Report message to a moderator |
|
|
|
| Re: Authenticating Oracle User based on Windows User Id [message #498969 is a reply to message #498888] |
Sat, 12 March 2011 05:43 |
Michael Hartley
Messages: 110
Registered: December 2004
Location: West Yorkshire, United Ki...
|
Senior Member |
|
|
Hi
I'm going to answer your question with a warning.
The use of OPS$ accounts in strongly inadvisable because you are weakening the security of your system. Additionally, the use of shared database accounts is inadvisable.
The use of OPS$ accounts was an administrative convenience widely in practice up to about 10 years ago and was often used to prevent the need to publish unencrypted passwords for batch processing tasks. The use of shared databases accounts is often due to a lack of schema design and poor attention to user security.
These days, OPS$ accounts are the first and most basic mechanism for attaching a database and are always removed during the initial stages of security hardening.
Please read the Oracle security hardening document referenced here.
However, if you really do intend to continue with your strategy, then to get Windows OS authentication you should read the Tim Hall article in more details because the answer to your original question is one paragraph below the example you provided above. If you have lost the article reference it is here.
The part of the article you are looking for discusses SQLNET.AUTHENTICATION_SERVICES in a windows environment.
Kind regards
Michael Hartley
[Updated on: Sat, 12 March 2011 09:50] by Moderator Report message to a moderator |
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
