Home > Ask the Oracle Database / Applications Experts > Questions & Answers > Best practices for secure user creation
Ask The Oracle Expert: Questions & Answers
EMAIL THIS

Best practices for secure user creation

Dan Norris EXPERT RESPONSE FROM: Dan Norris

Pose a Question
Other Oracle Categories
Meet all Oracle Experts
Become an Expert for this site
>
QUESTION POSED ON: 08 April 2004
I have a question regarding best practice for user creation/security within the database. When creating a new application, should we design a table containing multiple usernames and corresponding encrypted password in the database i.e. implement application-level security for the application.

OR

Should multiple database level users (like scott etc.) be created i.e. for each application user a corresponding database user is created and database level security be maintained.


>
There's no substitute for securing the data. Security programmed in the application can still be circumvented by connecting directly to the database (or attempting to). Plus, with one application user that has a superset of all privileges needed by any application user, one breach can allow access to all the database data very easily.

I would establish database accounts for each user, but actually connecting to the database with individual user accounts would eliminate the usefulness of database connection pooling. Plus, you'd incur the overhead of establishing a new database connection each time a user logs in to the application.

I'd investigate the Proxy Authentication mechanism that was created precisely to address this situation. It is not difficult to configure on the database end, but the application will have to connect differently to utilize this feature. The Oracle9i documentation for Proxy Authentication begins here: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/users.htm#17433.


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice



Oracle White Papers: Fusion Middleware
HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts