4 Replies Latest reply: Dec 10, 2012 9:35 AM by handlehandle RSS

    Identification of access method

    handlehandle
      We have a third-party package built on top of Oracle RDBMS.

      The security in the package more or less assumes that people are coming
      in via the application server with it's forms and accoutrements.

      We would like to know of good methods for determining what
      alternative access method a user might be using (SQL Plus, ODBC, JDBC)
      and how to limit users to only the application front end.

      User profile was looked at long ago, maybe it has improved? It got
      us part way but really didn't fill the holes.
        • 1. Re: Identification of access method
          sb92075
          es3960 wrote:
          We have a third-party package built on top of Oracle RDBMS.

          The security in the package more or less assumes that people are coming
          in via the application server with it's forms and accoutrements.

          We would like to know of good methods for determining what
          alternative access method a user might be using (SQL Plus, ODBC, JDBC)
          and how to limit users to only the application front end.

          User profile was looked at long ago, maybe it has improved? It got
          us part way but really didn't fill the holes.
          Oracle does not know or care about the "flavor" (OCI, jdbc, odbc, etc) of remote client;
          and has no way to determine it; but V$SESSION.PROGRAM might be partial solution.
          • 2. Re: Identification of access method
            Hoek
            User profile was looked at long ago, maybe it has improved?
            Consult/search the docs @ http://www.oracle.com/pls/db112/homepage and find out yourself.

            Furthermore you might want to check the Database Security Forum @ https://forums.oracle.com/forums/category.jspa?categoryID=510

            Be clear about 'the holes' and also make a habit out of posting your database version.
            See: {message:id=9360002}
            • 3. Re: Identification of access method
              handlehandle
              So, you are saying there may be a solution depending on my database version?

              I am using 10 and moving into 11.
              • 4. Re: Identification of access method
                6363
                es3960 wrote:
                We have a third-party package built on top of Oracle RDBMS.

                The security in the package more or less assumes that people are coming
                in via the application server with it's forms and accoutrements.
                This means there is no security implemented in the application.
                We would like to know of good methods for determining what
                alternative access method a user might be using (SQL Plus, ODBC, JDBC)
                and how to limit users to only the application front end.
                There aren't any good methods for this.
                User profile was looked at long ago, maybe it has improved? It got
                us part way but really didn't fill the holes.
                Unfortunately all the holes are in the application so you won't be able to fill them in the database.

                The vendor should fix the application or you should look for an application that is secure if security is a requirement.