Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Password Management and Database Security

Re: Password Management and Database Security

From: hpuxrac <johnbhurley_at_sbcglobal.net>
Date: 11 Dec 2006 05:23:44 -0800
Message-ID: <1165843424.193553.173760@79g2000cws.googlegroups.com> 






Shailesh wrote:


> Hello,

>

> One of our customers follows single user environment. All schema

> objects are owned by this user with DBA privilege. Application

> internally connects to database using the same user & password, but for

> login different application users are available. In short when login

> dialog is launched by an application, internally application already

> connects to the database and identifies entered application user and

> password in one table to allow user to enter. Although we can see

> several hundred sessions to the database all are using same database

> user.

>

> Recently they have faced few issues and would like to enhance current

> user password management strategy.

>

> Issues:

> ------------

> Since same database user is used for an application and also for

> connecting via tools like SQL*PLUS, TOAD etc. So if end user (other

> than administrator) knows database password he can play with schema

> objects.

>

> Administrator of One customer goes to another customer who are also

> using same product and was able to log on to database. Customer

> complained with the risk associated. All customers' deployments have

> same database user and password

>

> What are advantages/limitations of such environment?

> What could be the best strategy can be used in such cases?

>

> Some ideas:

> -------------------

> Database Schema owner needs to be one user with DBA privilege for

> Customer Administrator, Separate User for an Application with only

> SELECT privilege and user with DBA privilege for connecting using

> Tools.

>

> Please help with your valuable inputs.




Why do any of the users you note above need DBA role?  That kind of
setup is just asking for trouble.



Grant ONLY the privileges that each set of user needs.  Use roles to
control and encapsulate the permissions that are granted.



I would recommend you start by reading the oracle documentation
available at http://tahiti.oracle.com ... the concepts manual is a good
starting point.



For specific questions about roles and what is needed you might want to
look at questions already submitted and answered at Tom Kyte's site
http://asktom.oracle.com
Received on Mon Dec 11 2006 - 07:23:44 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US