RE: Ids and passwords for application users

[Mandar A. Ghosalkar]

Title: RE: Ids and passwords for application users

trying to understand how oracle 9i proxy authentication work.

 

is anyone using it?

-----Original Message-----
From: Jacques Kilchoer [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 29, 2002 4:28 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: Ids and passwords for application users

I always preferred the option of having a userid for each person, because it makes it easier to match session to user. When you say userid "dwilliams" locking a table you know who to call, but if you see userid "app_user" you have to do some extra work to track the person down. >From a developer point of view, it's easier to determine the name of the logged in user (use built-in "user" function) than it would be to find out the machine name / application name (select * from v$session).

If you have only one username with a password hard-coded in the application, how do you plan on hiding the password from the user, or changing the password if it becomes compromised?

> -----Original Message-----
> From: DENNIS WILLIAMS [mailto:[EMAIL PROTECTED]]
>
> Peter - Go with option #1 unless you relish a career as an
> Oracle security
> officer. With option #1 the developers can create some administrator
> screens. Unless security is really, really critical.
>
> -----Original Message-----
>
> I am in the process of designing a small database which may have
> as many as 250 to 300 users.  We are reaching a stage where we need
> to decide how we will control access to this database.  As I see it
> we have two options:
>
> 1.  Provide a single hidden login for the entire application
> and control
> access to the applicaiton itself either by "roll your own" security or
> using the operating system (UNIX) controls.
>
> 2.  Create ids for the users in Oracle and grant them access
> to the necessary tables using roles.
>
> Any opinions or alternate suggestions?
>
> Peter Schauss