Solved

dba_users entry for application accounts

Posted on 2013-06-17
6
384 Views
Last Modified: 2013-07-15
If you have an oracle 10g database, residing behind a business application (i.e. for arguments sake let’s say your corporate finance system), is it common for the dba_users to be populated with an account per application user? I thought it would be common for the accounts in dba_users to only be those used for database administration, and perhaps some data analysts, so I was a bit shocked when I noticed anyone who has a login account for the application front end to have an entry in dba_users. Is this kind of authentication common? Does it have a specific name? I assume this is down to how the applicaiton was programmed, as for other apps that have a backend oracle database, there definately isnt an entry is dba_users per application (front end) accounts.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 250 total points
ID: 39252963
dba_users is just a view.  Any Oracle user will be visible in that view.

There are two other level of views:  ALL_ and USER_.  These are restricted based on database permissions.

It is common for applications to be written in such a way that it's usernames and are actually database users.  This let's the database control password maintenance as well as auditing what the users do.

The other way to write apps is that it maintains it's own user table and the app connects to the database using a common username.
0
 
LVL 3

Author Comment

by:pma111
ID: 39252971
So would it be fair to say, if the database users arent subject to password expiry, complexity, account lockout etc, then neither will the account that they use to login to the application (which is essentially the same thing). or could you have database accounts, with no expirty, complexity etc policy, however the application is still programmed in such a way that the users have to change their password every so long.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39252993
>> then neither will the account that they use to login to the application

Good bet.

>>however the application is still programmed in such a way

It's code...  You "can" do whatever you want.

Just not sure why you would want to write code to handle something Oracle handles for free?

You can set up PROFILE's to control all of this.  Then the app just needs to account for the error messages it receives form the database.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 3

Author Comment

by:pma111
ID: 39253019
I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles. if say for example password verify function says "default", what exactly does that mean. If it says something else, where can you actually see the password verify function to see what its enforcing.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39253130
>>I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles.

Correct.

>>if say for example password verify function says "default", what exactly does that mean.

Check out: Oracle Password Management Policy [ID 114930.1]

>>If it says something else, where can you actually see the password verify function to see what its enforcing.

It's a stored function.  If it is set, you can view the source just like any other function.

It could possibly be WRAPped (never tried this with a password function).  If so, it's encrypted.  There are claims that WRAPped code can be decrypted but I've never tried.
0
 
LVL 23

Assisted Solution

by:David
David earned 250 total points
ID: 39253863
...is it common for the dba_users to be populated with an account per application user?...

I agree with Slight, and would mention that there are alternatives; so it depends upon the architect's preference.  At one end, some applications are written to use generic accounts such as APP_ADMIN for the superusers, and APP_QUERY for the reports and other read-only, and APP_USER for the common access people.  The application / data owner would be responsible for managing which users were given which passwords.  A high-volume site will perhaps look into single sign-on with LDAP.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Estimating my database size 7 51
database access query MSSQL 3 46
T-SQL: Need training video on creating a Clustered Index 2 57
Oracle Join issue. 3 47
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question