otmfaqForumsBlogsRegister
FAQMembers ListCalendarToday's PostsSearch

 Subscribe Blogs:RSS
 Subscribe Forums:RSS
 Follow New Posts:Twitter
OTMFAQ Home
OTMFAQ Blogs
OTMFAQ Forums
OTM Wiki

OTM SIG
OTM Wiki
MavenWire


Database Administration Database installation, creation, administration and related topics.

Reply
 
Submit Tools LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old September 19th, 2008, 21:02
Junior Member
  
Join Date: Jun 2008
Posts: 24
Groans: 0
Groaned at 0 Times in 0 Posts
Thanks: 4
Thanked 4 Times in 4 Posts
Rep Power: 0
Joe Patton is on a distinguished road
DB Security Question
Hello All,

I was asked to create an oracle account with nothing but SELECT access to GLOGOWNER.GL_LOGIN_HISTORY. I created the account with the requested access but found that i would receive zero rows when querying the table with that account. I did some research & it is looking like OTM uses VPD. I'm not familiar with this level of security. I was just wondering if anyone had a quick answer on how to allow the account that I created to read all the rows in glogowner.gl_login_history. In the meantime, I will read up on the VPD/fine grain access control stuff.

Thanks,

Joe Patton
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old September 20th, 2008, 07:28
chrisplough's Avatar
Site Moderator
  
Join Date: Jun 2006
Location: West Chester, PA
Posts: 1,167
Blog Entries: 8
Groans: 0
Groaned at 1 Time in 1 Post
Thanks: 143
Thanked 258 Times in 161 Posts
Rep Power: 10
chrisplough is a jewel in the roughchrisplough is a jewel in the roughchrisplough is a jewel in the rough
Send a message via AIM to chrisplough
Re: DB Security Question
Joe,

For a quick and dirty, all-access-allowed approach, type the following after logging in as that user via sql:

Code:
exec vpd.set_user('DBA.ADMIN')
(see http://www.otmfaq.com/forums/f21/ins...rformance-513/ ([INSTRUCTIONS] Testing VPD Query Performance) for more details.)

You should now have access to all data in all tables. Ensure that you're getting results back. From there, you'll have to dig further into VPD in order to refine the access and trim back the access to just the GLOGOWNER.GL_LOGIN_HISTORY data.

See the following URL for a brief overview and sample info on VPD:
VPD

--Chris
__________________
Chris Plough
MavenWire

www.MavenWire.com
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
The Following User Says Thank You to chrisplough For This Useful Post:
Joe Patton (September 26th, 2008)
  #3 (permalink)  
Old September 26th, 2008, 20:51
Junior Member
  
Join Date: Jun 2008
Posts: 24
Groans: 0
Groaned at 0 Times in 0 Posts
Thanks: 4
Thanked 4 Times in 4 Posts
Rep Power: 0
Joe Patton is on a distinguished road
Re: DB Security Question
Thanks for the reply, Chris. The following command works if I open up a SQL*Plus session:

exec vpd.set_user('DBA.ADMIN')

The account seems to lose the profile setting when the session is closed. Is there a way to permanently assign the user that I created to the 'DBA.ADMIN' profile? Thank you for the link to the tutorial. I will be trying to educate myself on VPD next week if I have the time.

Joe Patton
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old September 29th, 2008, 12:39
Member
  
Join Date: Jul 2006
Posts: 48
Groans: 0
Groaned at 0 Times in 0 Posts
Thanks: 16
Thanked 11 Times in 9 Posts
Rep Power: 0
acuartero is on a distinguished road
Re: DB Security Question
Joe,

OTM sets the VPD profile for non-application users via the use of database logon triggers. Using a logon trigger will eliminate the need to set the profile manually each time the user logs on to the database. For an example on how to do this you can take a look at the script create_logon_triggers.sql under your OTM home /glog/oracle/script8 directory.

Thanks,
Alan
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old September 29th, 2008, 20:42
Junior Member
  
Join Date: Jun 2008
Posts: 24
Groans: 0
Groaned at 0 Times in 0 Posts
Thanks: 4
Thanked 4 Times in 4 Posts
Rep Power: 0
Joe Patton is on a distinguished road
Re: DB Security Question
Thanks for the answers, Alan and Chris. I took a look at the trigger code example in the file that you specified and was able to get the proper access for the user in question. This account can only select from glogowner.gl_login_history. The user in question has execute privileges on the GLOGOWNER.VPD package so that the SET_USER procedure can be executed within the logon trigger. Are there any security concerns regarding execute priv's against the VPD package?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Setting the VPD Profile security restrictions in Database | Closed Connection Error »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads
Thread Thread Starter Forum Replies Last Post
javax.security.auth.login.LoginException... nkrantz Installation and Upgrades 4 December 7th, 2009 22:32
Setting the VPD Profile security restrictions in Database divya Database Administration 0 September 22nd, 2008 13:29
Security warnings displayed on every finder result page sknmail@rediffmail.com Security 4 November 21st, 2007 02:00
Dedicated Security pool exhausted sknmail@rediffmail.com Performance, Scalability and HA 3 November 14th, 2007 15:30
javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: j saptarshi Installation and Upgrades 4 October 12th, 2007 11:09



All times are GMT. The time now is 09:30.
Copyright © 2006-2009, Open Book Solutions LLC. All rights reserved.


Inactive Reminders By Icora Web Design

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40