|
|
|
|
|
|
| Author |
Message |
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
 Posted: Tue Jul 18, 2006 2:15 pm Post subject:
t have two problemms about oracle authentication,can you help me?
|
|
|
thanks:
1.how do the clients transmit the identifier to Oracle before logon
2.After logon Oracle,how can I lock some privileges or roles of this
user instead of revoking the roles? |
|
| Back to top |
|
 |
Dave
*nix forums Guru
Joined: 19 Feb 2005
Posts: 1725
|
| Posted: Wed Jul 19, 2006 8:43 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Not without more information.
| Quote: | 1.how do the clients transmit the identifier to Oracle before logon
|
Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
| Quote: | 2.After logon Oracle,how can I lock some privileges or roles of this
user instead of revoking the roles?
|
What do you mean by locking privileges and roles? |
|
| Back to top |
|
|
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
| Posted: Thu Jul 20, 2006 3:46 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Dave wrote:
| Quote: | Not without more information.
1.how do the clients transmit the identifier to Oracle before logon
Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
2.After logon Oracle,how can I lock some privileges or roles of this
user instead of revoking the roles?
What do you mean by locking privileges and roles?
|
thank you very much Dave
1.Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
I want to transmit client identifier such as ic card's number to
the oracle server before the logon trigger is invoked.
2.What do you mean by locking privileges and roles?
That means restricting db_user's privileges and roles only in the
session ,but not revoking them from the db_user. In this way, another
user who uses a different ic card but the same oracle account db_user
can get more privileges and roles in his session. The privileges and
roles have granted to the db_user before.
So, I can let different ic card users with the same oracle account
db_user have different privileges and roles. May I use the "set role
role1,role2 " or "dbms_session.set_role" to lock the other roles except
role1,role2. |
|
| Back to top |
|
|
Sybrand Bakker
*nix forums Guru
Joined: 03 Apr 2005
Posts: 1766
|
| Posted: Thu Jul 20, 2006 5:22 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
On 19 Jul 2006 20:46:47 -0700, ldd600@163.com wrote:
| Quote: |
Dave wrote:
Not without more information.
1.how do the clients transmit the identifier to Oracle before logon
Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
2.After logon Oracle,how can I lock some privileges or roles of this
user instead of revoking the roles?
What do you mean by locking privileges and roles?
thank you very much Dave
1.Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
I want to transmit client identifier such as ic card's number to
the oracle server before the logon trigger is invoked.
2.What do you mean by locking privileges and roles?
That means restricting db_user's privileges and roles only in the
session ,but not revoking them from the db_user. In this way, another
user who uses a different ic card but the same oracle account db_user
can get more privileges and roles in his session. The privileges and
roles have granted to the db_user before.
So, I can let different ic card users with the same oracle account
db_user have different privileges and roles. May I use the "set role
role1,role2 " or "dbms_session.set_role" to lock the other roles except
role1,role2.
|
1 You need the Oracle Advanced Networking Option. Other than that: No
way
2 Not possible.
--
Sybrand Bakker, Senior Oracle DBA |
|
| Back to top |
|
|
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
| Posted: Thu Jul 20, 2006 6:24 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Sybrand Bakker wrote:
| Quote: | On 19 Jul 2006 20:46:47 -0700, ldd600@163.com wrote:
Dave wrote:
Not without more information.
1.how do the clients transmit the identifier to Oracle before logon
Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
2.After logon Oracle,how can I lock some privileges or roles of this
user instead of revoking the roles?
What do you mean by locking privileges and roles?
thank you very much Dave
1.Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
I want to transmit client identifier such as ic card's number to
the oracle server before the logon trigger is invoked.
2.What do you mean by locking privileges and roles?
That means restricting db_user's privileges and roles only in the
session ,but not revoking them from the db_user. In this way, another
user who uses a different ic card but the same oracle account db_user
can get more privileges and roles in his session. The privileges and
roles have granted to the db_user before.
So, I can let different ic card users with the same oracle account
db_user have different privileges and roles. May I use the "set role
role1,role2 " or "dbms_session.set_role" to lock the other roles except
role1,role2.
1 You need the Oracle Advanced Networking Option. Other than that: No
way
2 Not possible.
--
Sybrand Bakker, Senior Oracle DBA
|
thanks Sybrand Bakker.
why is it not possible? I tried it, then got answers as follows:
SQL> conn temp/temp;
Connected to Oracle9i Enterprise Edition Release 9.2.0.1.0
Connected as temp
SQL> create role a;
Role created
SQL> create role b;
Role created
SQL> grant a to b;
Grant succeeded
SQL> grant a to scott;
Grant succeeded
SQL> conn scott/tiger;
Connected to Oracle9i Enterprise Edition Release 9.2.0.1.0
Connected as scott
SQL> set role a,resource;
Role set
SQL> select * from session_roles;
ROLE
------------------------------
A
RESOURCE
SQL> conn temp/temp;
Connected to Oracle9i Enterprise Edition Release 9.2.0.1.0
Connected as temp
SQL> grant a to b;
Grant succeeded
SQL> revoke a from b;
Revoke succeeded
SQL> grant a to b;
Grant succeeded
SQL> revoke a from scott;
Revoke succeeded
SQL> grant b to scott;
Grant succeeded
SQL> conn scott/tiger;
Connected to Oracle9i Enterprise Edition Release 9.2.0.1.0
Connected as scott
SQL> select * from session_roles;
ROLE
------------------------------
CONNECT
RESOURCE
B
A
SQL> set role a;
Role set
SQL> select * from session_roles;
ROLE
------------------------------
A
-----------------------------------------------------------------------------------------------------------------
Can you explain what "not possile and Oracle Advanced Networking
Option" means for me? I am confused. |
|
| Back to top |
|
|
Brian Peasland
*nix forums Guru
Joined: 04 Apr 2006
Posts: 301
|
| Posted: Thu Jul 20, 2006 1:18 pm Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
| Quote: | 1.Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
I want to transmit client identifier such as ic card's number to
the oracle server before the logon trigger is invoked.
|
Look into Secure Application Roles. Click on the following link:
http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm
Please read the Security Guide....pay particular attention to Chapter 13.
HTH,
Brian
--
===================================================================
Brian Peasland
dba@nospam.peasland.net
http://www.peasland.net
Remove the "nospam." from the email address to email me.
"I can give it to you cheap, quick, and good.
Now pick two out of the three" - Unknown |
|
| Back to top |
|
|
Sybrand Bakker
*nix forums Guru
Joined: 03 Apr 2005
Posts: 1766
|
| Posted: Thu Jul 20, 2006 7:45 pm Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
On 19 Jul 2006 23:24:14 -0700, ldd600@163.com wrote:
| Quote: | -----------------------------------------------------------------------------------------------------------------
Can you explain what "not possile and Oracle Advanced Networking
Option" means for me? I am confused.
I don't think I'm going to waste more time on this. |
Either you should express yourself completely or succinctly, or you
should not post at all. You shouldn't however, change the rules of the
game and complain you are confused.
I am as much as confused as you because your question didn't make
sense. There is no such concept as 'lock a role'.
Everyone can juggle with different sessions of the same user; in the
end it is the same user, with the same properties.
--
Sybrand Bakker, Senior Oracle DBA |
|
| Back to top |
|
|
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
| Posted: Fri Jul 21, 2006 1:26 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Brian Peasland wrote:
| Quote: | 1.Over SQLNet. If you explain what you are trying to understand then a
more detailed explanation may be possible.
I want to transmit client identifier such as ic card's number to
the oracle server before the logon trigger is invoked.
Look into Secure Application Roles. Click on the following link:
http://download-east.oracle.com/docs/cd/B19306_01/network.102/b14266/toc.htm
Please read the Security Guide....pay particular attention to Chapter 13.
HTH,
Brian
--
===================================================================
Brian Peasland
dba@nospam.peasland.net
http://www.peasland.net
Remove the "nospam." from the email address to email me.
"I can give it to you cheap, quick, and good.
Now pick two out of the three" - Unknown
|
Thanks for your kind help
I had read the guide before.We can't use application server and
proxy_user, and I have no right to change the application programs
which was written with vc. I also can't modify all the roles in
database to secure roles and default roles, because secure roles need
to be verified. |
|
| Back to top |
|
|
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
| Posted: Fri Jul 21, 2006 1:44 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Sybrand Bakker wrote:
| Quote: | On 19 Jul 2006 23:24:14 -0700, ldd600@163.com wrote:
-----------------------------------------------------------------------------------------------------------------
Can you explain what "not possile and Oracle Advanced Networking
Option" means for me? I am confused.
I don't think I'm going to waste more time on this.
Either you should express yourself completely or succinctly, or you
should not post at all. You shouldn't however, change the rules of the
game and complain you are confused.
I am as much as confused as you because your question didn't make
sense. There is no such concept as 'lock a role'.
Everyone can juggle with different sessions of the same user; in the
end it is the same user, with the same properties.
--
Sybrand Bakker, Senior Oracle DBA
Bakker, I'm so sorry, because english is not my native language,and my |
english is very poor. I have tried my best to express myself more
clearly. I don't use the word "confused" to complain about something,
I just used it to express that I didn't understand something.
I just want to specify some roles to be enabled for the current
session. Any roles not listed are disabled for the current session. |
|
| Back to top |
|
|
ldd600@163.com
*nix forums beginner
Joined: 18 Jul 2006
Posts: 8
|
| Posted: Fri Jul 21, 2006 1:59 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
Sybrand Bakker wrote:
| Quote: | On 19 Jul 2006 23:24:14 -0700, ldd600@163.com wrote:
-----------------------------------------------------------------------------------------------------------------
Can you explain what "not possile and Oracle Advanced Networking
Option" means for me? I am confused.
I don't think I'm going to waste more time on this.
Either you should express yourself completely or succinctly, or you
should not post at all. You shouldn't however, change the rules of the
game and complain you are confused.
I am as much as confused as you because your question didn't make
sense. There is no such concept as 'lock a role'.
Everyone can juggle with different sessions of the same user; in the
end it is the same user, with the same properties.
--
Sybrand Bakker, Senior Oracle DBA
|
Thanks Bakker
I hope to make the same user has different roles in different
sessions. |
|
| Back to top |
|
|
Dave
*nix forums Guru
Joined: 19 Feb 2005
Posts: 1725
|
| Posted: Fri Jul 21, 2006 10:20 am Post subject:
Re: t have two problemms about oracle authentication,can you help me?
|
|
|
ldd600@163.com wrote:
| Quote: | Sybrand Bakker wrote:
On 19 Jul 2006 23:24:14 -0700, ldd600@163.com wrote:
-----------------------------------------------------------------------------------------------------------------
Can you explain what "not possile and Oracle Advanced Networking
Option" means for me? I am confused.
I don't think I'm going to waste more time on this.
Either you should express yourself completely or succinctly, or you
should not post at all. You shouldn't however, change the rules of the
game and complain you are confused.
I am as much as confused as you because your question didn't make
sense. There is no such concept as 'lock a role'.
Everyone can juggle with different sessions of the same user; in the
end it is the same user, with the same properties.
--
Sybrand Bakker, Senior Oracle DBA
Bakker, I'm so sorry, because english is not my native language,and my
english is very poor. I have tried my best to express myself more
clearly. I don't use the word "confused" to complain about something,
I just used it to express that I didn't understand something.
I just want to specify some roles to be enabled for the current
session. Any roles not listed are disabled for the current session.
|
I don't think language is the issue here. "client identifier such as
ic card's number" isn't going to make any sense regardless of the
language in which it is expressed unless "ic card's number" is a local
idiom. I've no idea what an ic is, I know what an IC is; that's short
for Integrated Circuit, but as far as I know "ic" isn't an English word.
(quick sanity check performed with
http://www.answers.com/main/ntquery?gwp=13&s=ic )
Password protected roles might do what you want. But this will most
likely require the application to be modified. One thing I don't
understand though: if you can't modify the application, how are you
planning to transmit the "ic card" info to the database?
I'm not sure what the Advanced Networking Option is called in 10g; the
8.0 ANO docs are on Oracle Technet; the following link might work:
http://download.oracle.com/docs/cd/A64702_01/doc/network.805/a58229/ch1.htm#740291
The DCE stuff (picked as an example of stuff documented in the 8.0 ANO
doc) is also covered in the 10g doc:
http://download.oracle.com/docs/cd/B14117_01/network.101/b10772/toc.htm
This is possibly the doc Sybrand thinks you should read.
If you're reading this Sybrand, my feeling is that he wants to connect
to Oracle with username, password and something, then have the logon
trigger act on that something to set the roles for the session.
Pointing him to ANO suggests you think this is possible, but ANO appears
to be quite a large area so could you give one or two more clues, or
possibly even a direct chapter reference? I've scanned the contents but
nothing seems to jump out at me, and I haven't really got the time to
read the whole manual in detail.
Rereading the following: "That means restricting db_user's privileges
and roles only in the session ,but not revoking them from the db_user.
In this way, another user who uses a different ic card but the same
oracle account db_user can get more privileges and roles in his session."
To use password protected roles you'd need some way of translating an
"ic card" into a role name and password. The application would connect
to the Oracle schema then select the roles for which it has that info.
This way you'd probably get the behaviour you want, if my understanding
is correct.
"The privileges and roles have granted to the db_user before."
But in this solution the privileges and roles would NOT have been
granted to the db_user; they would be chosen by the application after
connect based on the translation from the "ic card" information.
This is all based on guesswork, so if I'm way off mark, you definitely
need to provide a full and detailed explanation of exactly what you
want, preferably after reading several Oracle manuals which should AT
LEAST include the Oracle Database Concepts manual so that you have an
idea of what terminology to use. Correct terminology is absolutely
vital to clear communication, particularly when sales droids like
muddying the waters by inventing their own words that are vague and
often misleading (Microsoft's overuse of the .Net buzzword a couple of
years ago is a prime example, leading people to all sorts of silly
questions like "is my toaster .Net compatible, because listening to
Microsoft it sounds like my house will implode if it isn't")
Dave. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sun Nov 23, 2008 3:03 pm | All times are GMT
|
|
Cadillac | Mobile Phones | Knitting Stitches | Debt Consolidation | Property Search
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Databases
»
Oracle
»
Tools
