Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

dba_users entry for application accounts

Posted on 2013-06-17
6
Medium Priority
?
398 Views
Last Modified: 2013-07-15
If you have an oracle 10g database, residing behind a business application (i.e. for arguments sake let’s say your corporate finance system), is it common for the dba_users to be populated with an account per application user? I thought it would be common for the accounts in dba_users to only be those used for database administration, and perhaps some data analysts, so I was a bit shocked when I noticed anyone who has a login account for the application front end to have an entry in dba_users. Is this kind of authentication common? Does it have a specific name? I assume this is down to how the applicaiton was programmed, as for other apps that have a backend oracle database, there definately isnt an entry is dba_users per application (front end) accounts.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 1000 total points
ID: 39252963
dba_users is just a view.  Any Oracle user will be visible in that view.

There are two other level of views:  ALL_ and USER_.  These are restricted based on database permissions.

It is common for applications to be written in such a way that it's usernames and are actually database users.  This let's the database control password maintenance as well as auditing what the users do.

The other way to write apps is that it maintains it's own user table and the app connects to the database using a common username.
0
 
LVL 3

Author Comment

by:pma111
ID: 39252971
So would it be fair to say, if the database users arent subject to password expiry, complexity, account lockout etc, then neither will the account that they use to login to the application (which is essentially the same thing). or could you have database accounts, with no expirty, complexity etc policy, however the application is still programmed in such a way that the users have to change their password every so long.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39252993
>> then neither will the account that they use to login to the application

Good bet.

>>however the application is still programmed in such a way

It's code...  You "can" do whatever you want.

Just not sure why you would want to write code to handle something Oracle handles for free?

You can set up PROFILE's to control all of this.  Then the app just needs to account for the error messages it receives form the database.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 3

Author Comment

by:pma111
ID: 39253019
I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles. if say for example password verify function says "default", what exactly does that mean. If it says something else, where can you actually see the password verify function to see what its enforcing.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 39253130
>>I assume thats those that are stored within the file dba_users:profile , and then marry those up to the values held in dba_profiles.

Correct.

>>if say for example password verify function says "default", what exactly does that mean.

Check out: Oracle Password Management Policy [ID 114930.1]

>>If it says something else, where can you actually see the password verify function to see what its enforcing.

It's a stored function.  If it is set, you can view the source just like any other function.

It could possibly be WRAPped (never tried this with a password function).  If so, it's encrypted.  There are claims that WRAPped code can be decrypted but I've never tried.
0
 
LVL 23

Assisted Solution

by:David
David earned 1000 total points
ID: 39253863
...is it common for the dba_users to be populated with an account per application user?...

I agree with Slight, and would mention that there are alternatives; so it depends upon the architect's preference.  At one end, some applications are written to use generic accounts such as APP_ADMIN for the superusers, and APP_QUERY for the reports and other read-only, and APP_USER for the common access people.  The application / data owner would be responsible for managing which users were given which passwords.  A high-volume site will perhaps look into single sign-on with LDAP.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question