Password Management and Database Security

From: Shailesh <shailesh.saraff_at_gmail.com>
Date: 11 Dec 2006 04:55:06 -0800
Message-ID: <1165841706.212992.67370@79g2000cws.googlegroups.com>

Hello,

One of our customers follows single user environment. All schema objects are owned by this user with DBA privilege. Application internally connects to database using the same user & password, but for login different application users are available. In short when login dialog is launched by an application, internally application already connects to the database and identifies entered application user and password in one table to allow user to enter. Although we can see several hundred sessions to the database all are using same database user.

Recently they have faced few issues and would like to enhance current user password management strategy.

Issues:

---

Since same database user is used for an application and also for connecting via tools like SQL*PLUS, TOAD etc. So if end user (other than administrator) knows database password he can play with schema objects.

Administrator of One customer goes to another customer who are also using same product and was able to log on to database. Customer complained with the risk associated. All customers' deployments have same database user and password

What are advantages/limitations of such environment? What could be the best strategy can be used in such cases?

Some ideas:

---

Database Schema owner needs to be one user with DBA privilege for Customer Administrator, Separate User for an Application with only SELECT privilege and user with DBA privilege for connecting using Tools.

Please help with your valuable inputs.

Thanks & Rgards,

Shailesh Received on Mon Dec 11 2006 - 06:55:06 CST