Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Users to create?
        
(Message started by: Pete Finnigan on Aug 7th, 2006, 2:55pm)
Title: Users to create?
Post by Pete Finnigan on Aug 7th, 2006, 2:55pm
Hello everyone,

We are in the process of creating an Oracle back end environment with a VB.NET front end.  There has been some discussion related to the creation of roles and users.  Some people in our organization are thinking that the best way to go would be that every user, even those who should only use the database through the application, should be created as a user within the database.  These users would each have a role or combination of roles applied, based on what they can do.

The other approach being discussed is to have a generic "application role" that is the only entry point for those users using the app only.  This role would be granted access to the views and stored procs that are necessary for the app to perform it's work,  but that is it.  App uer's security would then managed by a table system of users/roles/privileges.  The benefit, as we see it, is that the application could more readily respond to the user's abilities, and not even allow the user to see screens they don't have access to.  

I am hoping to generate a discussion regarding the differences here.  Any opinions?  Any links to information supporting one approach or the other?

Any help would be greatly appreciated.

Thank you,
Mike.
Title: Re: Users to create?
Post by Pete Finnigan on Aug 8th, 2006, 2:29am
"App uer's security would then managed by a table system of users/roles/privileges"
Sounds like an unnecessary duplication of the Oracle tables. If you have an Oracle user for each 'warm body' then you start off with the full power of Oracle's security and auditting facilities. Without any of your own coding, you can switch on auditing to ultimately say "We can track this change down to Fred Smith's login at 3:30pm from this IP address."

There's no reason the application security cannot leverage off the oracle tables, and see if the current user has a certain role before allowing them access to particular screens or functions.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board