Solved

dba_users entry for application accounts

Posted on 2013-06-17
6
350 Views
Last Modified: 2013-07-15
If you have an oracle 10g database, residing behind a business application (i.e. for arguments sake let’s say your corporate finance system), is it common for the dba_users to be populated with an account per application user? I thought it would be common for the accounts in dba_users to only be those used for database administration, and perhaps some data analysts, so I was a bit shocked when I noticed anyone who has a login account for the application front end to have an entry in dba_users. Is this kind of authentication common? Does it have a specific name? I assume this is down to how the applicaiton was programmed, as for other apps that have a backend oracle database, there definately isnt an entry is dba_users per application (front end) accounts.
0
Comment
Question by:pma111
  • 3
  • 2
6 Comments
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 250 total points
Comment Utility
dba_users is just a view.  Any Oracle user will be visible in that view.

There are two other level of views:  ALL_ and USER_.  These are restricted based on database permissions.

It is common for applications to be written in such a way that it's usernames and are actually database users.  This let's the database control password maintenance as well as auditing what the users do.

The other way to write apps is that it maintains it's own user table and the app connects to the database using a common username.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
So would it be fair to say, if the database users arent subject to password expiry, complexity, account lockout etc, then neither will the account that they use to login to the application (which is essentially the same thing). or could you have database accounts, with no expirty, complexity etc policy, however the application is still programmed in such a way that the users have to change their password every so long.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
Comment Utility
>> then neither will the account that they use to login to the application

Good bet.

>>however the application is still programmed in such a way

It's code...  You "can" do whatever you want.

Just not sure why you would want to write code to handle something Oracle handles for free?

You can set up PROFILE's to control all of this.  Then the app just needs to account for the error messages it receives form the database.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:pma111
Comment Utility
I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles. if say for example password verify function says "default", what exactly does that mean. If it says something else, where can you actually see the password verify function to see what its enforcing.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
Comment Utility
>>I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles.

Correct.

>>if say for example password verify function says "default", what exactly does that mean.

Check out: Oracle Password Management Policy [ID 114930.1]

>>If it says something else, where can you actually see the password verify function to see what its enforcing.

It's a stored function.  If it is set, you can view the source just like any other function.

It could possibly be WRAPped (never tried this with a password function).  If so, it's encrypted.  There are claims that WRAPped code can be decrypted but I've never tried.
0
 
LVL 23

Assisted Solution

by:David
David earned 250 total points
Comment Utility
...is it common for the dba_users to be populated with an account per application user?...

I agree with Slight, and would mention that there are alternatives; so it depends upon the architect's preference.  At one end, some applications are written to use generic accounts such as APP_ADMIN for the superusers, and APP_QUERY for the reports and other read-only, and APP_USER for the common access people.  The application / data owner would be responsible for managing which users were given which passwords.  A high-volume site will perhaps look into single sign-on with LDAP.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Read about achieving the basic levels of HRIS security in the workplace.
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.
This video shows how to Export data from an Oracle database using the Datapump Export Utility.  The corresponding Datapump Import utility is also discussed and demonstrated.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now