|
||
Title: Who is the Real user (CLIENT_IDENTIFIER) Post by Pete Finnigan on Nov 23rd, 2005, 12:14am One of the problems with any database based security is knowing who the real, human user is. When people use applications with connection pooling the Oralce USER is generally the same for all of the human users. CLIENT_IDENTIFIER has been added recently (10g rel 1?) to provide a way for the application to let the database know who the human user is. This can be used for auditing and View/VPD based security (but not roles). My question is: In practice, do the major applications use CLIENT_IDENTIFIER or any similar mechanism to let the server know who the human user is? Thanks, Anthony |
||
Title: Re: Who is the Real user (CLIENT_IDENTIFIER) Post by Pete Finnigan on Nov 24th, 2005, 7:26pm Hi Anthony, You should have a look at contexts and also DBMS_APPLICATION_INFO as these can be used to uniquely identify users in an environment where database accounts are shared via some third party solution or connection pooling or proxy accounts using Oracle API's or software. My paper on Row Level Security for security focus talks about contexts. See my [url http://www.petefinnigan.com/orasec.htm]Oracle security white papers page[/url] for details. In answer to your question, undoubtedly some of the major software does use these methods to identify users uniquely. cheers Pete |
||
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |