Q

Best practices for secure user creation

I have a question regarding best practice for user creation/security within the database. When creating a new application, should we design a table containing multiple usernames and corresponding encrypted password in the database i.e. implement application-level security for the application.

OR

Should multiple database level users (like scott etc.) be created i.e. for each application user a corresponding database user is created and database level security be maintained.
There's no substitute for securing the data. Security programmed in the application can still be circumvented by connecting directly to the database (or attempting to). Plus, with one application user that has a superset of all privileges needed by any application user, one breach can allow access to all the database data very easily.

I would establish database accounts for each user, but actually connecting to the database with individual user accounts would eliminate the usefulness of database connection pooling. Plus, you'd incur the overhead of establishing a new database connection each time a user logs in to the application.

I'd investigate the Proxy Authentication mechanism that was created precisely to address this situation. It is not difficult to configure on the database end, but the application will have to connect differently to utilize this feature. The Oracle9i documentation for Proxy Authentication begins here: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/users.htm#17433.

This was first published in April 2004

Dig deeper on Oracle database security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide

SearchDataCenter

SearchContentManagement

SearchFinancialApplications

Close