0

I read about Oracle ACL, but on first sight, it doesn't look like it limits the access to a schema on terminal, program level. Is it even possible? I did experience such limitation once. I was connecting by sqlplus from unix box, the same box the application scripts were connecting from. Is it, perhaps, related to Oracle Wallet?

Goal:

I want to limit direct access to an application schema. I already enabled proxy access. However web application on localhost does access application schema, from the same host that I want to limit direct access through any IDE. Is it possible to limit connectivity to schema from the same machine, depending on what terminal, or program wants to connect?

Jakub P
  • 167
  • 1
  • 2
  • 10

2 Answers2

1

I am not aware of something like that native in the database. However, it should be doable using a logon trigger.

Regards, Daniel

Daniel Overby Hansen
  • 306
  • 1
  • 3
1

As stated by several people in the comments, there is no guaranteed way to do this that cannot be easily fooled. The only session parameter that cannot be spoofed by a savvy developer is the proxy username. The best thing you can do is limit access by login name (using proxy users, as you're already doing, sounds like) and make sure each user's privileges are appropriate no matter what client they use (i.e. no client allowed them to escalate their privileges).

In particular, if you don't want people to connect to the application schema, make sure they don't have (and can't get) the password. You could probably use an Oracle Wallet to hide the password used by the application server, but depending on their level of access to the system (and where you put the wallet) a savvy developer might still exploit that. I would also make sure to audit all logins so that you can tell if anyone is connecting inappropriately and have a record of the behavior.

pmdba
  • 3,337
  • 2
  • 7
  • 11