Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: logon trigger cannot prevent DBA account from logging in data ba se

Re: logon trigger cannot prevent DBA account from logging in data ba se

From: <jo_holvoet_at_amis.com>
Date: Wed, 5 Apr 2006 09:37:09 +0100 (MET)
Message-id:
Message-Id: <1144223402.29721@server1.orafaq.com> 





Couldn't agree more, but I've also inherited a similar situation;
short-term solution was a logon trigger but not logon on database but logon
on schema.


Something like this worked for us :



create or replace trigger sys.blablabla


 after


  logon


 on "ORAUSER1".schema


declare


  os_user varchar2(30);


begin


  select sys_context('USERENV','OS_USER') into os_user from dual;



  if upper(os_user) not in ('OSUSER1', 'OSUSER1') then
    raise_application_error(-20001, 'blablabla');
  end if;


end;



mvg/regards



Jo





                                                                           
             "Jared Still"                                                 
             <jkstill_at_gmail.co                                             
             m>                                                         To 
             Sent by:                  Lijie.Tu_at_comaupico.com              
             oracle-l-bounce_at_f                                          cc 
             reelists.org              "David Sharples"                    
                                       <davidsharples_at_gmail.com>,          
                                       oracle-l_at_freelists.org              
             05-04-06 02:34                                        Subject 
                                       Re: logon trigger cannot prevent    
                                       DBA account from logging in data ba 
             Please respond to         se                                  
             jkstill_at_gmail.com                                             
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           








Create a new role for the user, similar to the DBA role
if that is what it requires.



Exclude the ADMINSTER DATABASE TRIGGER privilege from the role,
revoke DBA from the user and grant the new role to the user.



Any user with the ADMINSTER DATABASE TRIGGER either directly or
indirectly through a role cannot be prevented from logging in through the
use of a trigger.




Jared Still


Certifiable Oracle DBA and Part Time Perl Evangelist





On 4/4/06, TU Lijie <Lijie.Tu_at_comaupico.com> wrote:



      Well, in that case, Oracle should only prevent the logon trigger from
      killing sys/system session, while still allow the killing of other
      sessions.


      Anyway, logon trigger does not seem to get what I want, just
      wondering if there is a workaround to this.



      -----Original Message-----
      From: David Sharples [mailto:davidsharples_at_gmail.com]
      Sent: Tuesday, April 04, 2006 12:42 PM
      To: Lijie.Tu_at_comaupico.com
      Cc: oracle-l_at_freelists.org
      Subject: Re: logon trigger cannot prevent DBA account from logging in
      databa se





      you cant stop dba accounts from logging into the database.  The
      reason being is that if you wrote a login trigger that didnt work
      then no-one









--
http://www.freelists.org/webpage/oracle-l


Received on Wed Apr 05 2006 - 03:37:09 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US