Lock out of Oracle based on Windows usernameschema shows through standard client connection but not through ODBC connection?Oracle out-of-place upgrade on same host: impdp issuesOracle - Need help with RMAN Active Duplication on Windows 32 bit to a 64 bitGlobal locking for multi-master Oracle GoldenGate replicationOracle alternative edition for Windows Server 2012Oracle connection suddenly refused on windows 8Why doesn't “As SYSDBA” work from SQL Developer?ORA-01017 connecting to example schemas on Oracle VM appliance from Windows hostProblems with connecting to a remote Oracle 12c databaseOracle DBLink with username and password
Can a helicopter mask itself from Radar?
Cryptography and patents
Select row of data if next row contains zero
Asking for something with different prices
Accidentally cashed a check twice
What is a simple, physical situation where complex numbers emerge naturally?
The oldest tradition stopped before it got back to him
How to decline physical affection from a child whose parents are pressuring them?
Pros and cons of writing a book review?
Beginner's snake game using PyGame
Creating Fictional Slavic Place Names
Are academic associations obliged to comply with the US government?
Self-Preservation: How to DM NPCs that Love Living?
What is the difference between a game ban and a VAC ban in Steam?
What caused the tendency for conservatives to not support climate change regulations?
California: "For quality assurance, this phone call is being recorded"
Is having a hidden directory under /etc safe?
What is a natural deduction proof from ~(A↔B) to ~(A→B)?
Future enhancements for the finite element method
Coding Challenge Solution - Good Range
When was the word "ambigu" first used with the sense of "meal with all items served at the same time"?
How do I get a list of only the files (not the directories) from a package?
Why use water tanks from a retired Space Shuttle?
What does it mean by "d-ism of Leibniz" and "dotage of Newton" in simple English?
Lock out of Oracle based on Windows username
schema shows through standard client connection but not through ODBC connection?Oracle out-of-place upgrade on same host: impdp issuesOracle - Need help with RMAN Active Duplication on Windows 32 bit to a 64 bitGlobal locking for multi-master Oracle GoldenGate replicationOracle alternative edition for Windows Server 2012Oracle connection suddenly refused on windows 8Why doesn't “As SYSDBA” work from SQL Developer?ORA-01017 connecting to example schemas on Oracle VM appliance from Windows hostProblems with connecting to a remote Oracle 12c databaseOracle DBLink with username and password
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have this logon trigger to only allow certain users to log in to an Oracle database (even if they have the correct password to enter the database):
CREATE OR REPLACE TRIGGER SYS.LOGON_TRIGGER
AFTER LOGON ON DATABASE
DECLARE
THIS_USER VARCHAR2(50);
BEGIN
SELECT OSUSER INTO THIS_USER FROM V$SESSION WHERE SID = SYS_CONTEXT('USERENV','SID');
IF THIS_USER NOT IN (<List of Users>)
THEN RAISE LOGIN_DENIED;
ENDIF;
END;
/
It works for preventing users from entering most schemas but not all (e.g. the SYS or SYSTEM schemas can still be entered regardless of the user - this logon trigger is seemingly completely bypassed).
Is there a way to lock out these users even for these SYS type schemas?
A bit of context:
Due to decisions made way before I got involved with this, all of the logins for this database have the same password. Additionally, most users use the same login as many of our processes that read/write to this database automatically.
We don't want to simply change the passwords because it would be a very large effort to see what impact changing these passwords actually does to the system. (We would have to modify the code that the processes use to access the database, and there are many of these.) An easier solution for us is to just lock out based on usernames, if possible.
oracle oracle-11g
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
|
show 1 more comment
I have this logon trigger to only allow certain users to log in to an Oracle database (even if they have the correct password to enter the database):
CREATE OR REPLACE TRIGGER SYS.LOGON_TRIGGER
AFTER LOGON ON DATABASE
DECLARE
THIS_USER VARCHAR2(50);
BEGIN
SELECT OSUSER INTO THIS_USER FROM V$SESSION WHERE SID = SYS_CONTEXT('USERENV','SID');
IF THIS_USER NOT IN (<List of Users>)
THEN RAISE LOGIN_DENIED;
ENDIF;
END;
/
It works for preventing users from entering most schemas but not all (e.g. the SYS or SYSTEM schemas can still be entered regardless of the user - this logon trigger is seemingly completely bypassed).
Is there a way to lock out these users even for these SYS type schemas?
A bit of context:
Due to decisions made way before I got involved with this, all of the logins for this database have the same password. Additionally, most users use the same login as many of our processes that read/write to this database automatically.
We don't want to simply change the passwords because it would be a very large effort to see what impact changing these passwords actually does to the system. (We would have to modify the code that the processes use to access the database, and there are many of these.) An easier solution for us is to just lock out based on usernames, if possible.
oracle oracle-11g
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
3
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
1
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17
|
show 1 more comment
I have this logon trigger to only allow certain users to log in to an Oracle database (even if they have the correct password to enter the database):
CREATE OR REPLACE TRIGGER SYS.LOGON_TRIGGER
AFTER LOGON ON DATABASE
DECLARE
THIS_USER VARCHAR2(50);
BEGIN
SELECT OSUSER INTO THIS_USER FROM V$SESSION WHERE SID = SYS_CONTEXT('USERENV','SID');
IF THIS_USER NOT IN (<List of Users>)
THEN RAISE LOGIN_DENIED;
ENDIF;
END;
/
It works for preventing users from entering most schemas but not all (e.g. the SYS or SYSTEM schemas can still be entered regardless of the user - this logon trigger is seemingly completely bypassed).
Is there a way to lock out these users even for these SYS type schemas?
A bit of context:
Due to decisions made way before I got involved with this, all of the logins for this database have the same password. Additionally, most users use the same login as many of our processes that read/write to this database automatically.
We don't want to simply change the passwords because it would be a very large effort to see what impact changing these passwords actually does to the system. (We would have to modify the code that the processes use to access the database, and there are many of these.) An easier solution for us is to just lock out based on usernames, if possible.
oracle oracle-11g
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
I have this logon trigger to only allow certain users to log in to an Oracle database (even if they have the correct password to enter the database):
CREATE OR REPLACE TRIGGER SYS.LOGON_TRIGGER
AFTER LOGON ON DATABASE
DECLARE
THIS_USER VARCHAR2(50);
BEGIN
SELECT OSUSER INTO THIS_USER FROM V$SESSION WHERE SID = SYS_CONTEXT('USERENV','SID');
IF THIS_USER NOT IN (<List of Users>)
THEN RAISE LOGIN_DENIED;
ENDIF;
END;
/
It works for preventing users from entering most schemas but not all (e.g. the SYS or SYSTEM schemas can still be entered regardless of the user - this logon trigger is seemingly completely bypassed).
Is there a way to lock out these users even for these SYS type schemas?
A bit of context:
Due to decisions made way before I got involved with this, all of the logins for this database have the same password. Additionally, most users use the same login as many of our processes that read/write to this database automatically.
We don't want to simply change the passwords because it would be a very large effort to see what impact changing these passwords actually does to the system. (We would have to modify the code that the processes use to access the database, and there are many of these.) An easier solution for us is to just lock out based on usernames, if possible.
oracle oracle-11g
oracle oracle-11g
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
asked May 16 at 17:39
ImaginaryHuman072889ImaginaryHuman072889
1256
1256
3
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
1
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17
|
show 1 more comment
3
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
1
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17
3
3
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
1
1
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17
|
show 1 more comment
2 Answers
2
active
oldest
votes
I suggest a multi-phase approach that can be implemented in stages and will minimize the impact of changing to a more secure approach. I assume that you have a development environment to test in and the support of a manager who is interested and will support the effort.
- use the existing Oracle audit logging to start logging when users logon and logoff.
- after a period of time consistent with usage (90 days for a fiscal quarter?, a year end?) identify the unused accounts and lock them
- identify any service accounts that are not used by people to log on.
- identify the remaining accounts and try to link usernames to people to job roles
- create Oracle profiles for service accounts, read only accounts and more privileged user accounts
- set password expiration, complexity, reuse, failed attempts before lockout for these profiles. For example you may decide that service accounts should never change their password but that it should be 24 characters and only one failed attempt before lockout whereas a person's password should only be 8 characters with three failed attempts before lockout.
- one by one reassign accounts to the correct profile and force a password change
- at the same time look at creating roles that grant only enough privileges for accounts to do their job and assign the roles.
This is just the tip of the iceberg for securing the database. The level of effort you put in should be commensurate with the potential damage if the information in the database were breached.
answered May 16 at 17:53
kevinskykevinsky
3,2342145
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
add a comment |
The reason why your trigger does not work for users like SYS or SYSTEM is because they have the ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe.
So, the answer is: no, you cannot prevent login for such users - at least not with a login trigger.
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "182"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f238350%2flock-out-of-oracle-based-on-windows-username%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I suggest a multi-phase approach that can be implemented in stages and will minimize the impact of changing to a more secure approach. I assume that you have a development environment to test in and the support of a manager who is interested and will support the effort.
- use the existing Oracle audit logging to start logging when users logon and logoff.
- after a period of time consistent with usage (90 days for a fiscal quarter?, a year end?) identify the unused accounts and lock them
- identify any service accounts that are not used by people to log on.
- identify the remaining accounts and try to link usernames to people to job roles
- create Oracle profiles for service accounts, read only accounts and more privileged user accounts
- set password expiration, complexity, reuse, failed attempts before lockout for these profiles. For example you may decide that service accounts should never change their password but that it should be 24 characters and only one failed attempt before lockout whereas a person's password should only be 8 characters with three failed attempts before lockout.
- one by one reassign accounts to the correct profile and force a password change
- at the same time look at creating roles that grant only enough privileges for accounts to do their job and assign the roles.
This is just the tip of the iceberg for securing the database. The level of effort you put in should be commensurate with the potential damage if the information in the database were breached.
answered May 16 at 17:53
kevinskykevinsky
3,2342145
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
add a comment |
I suggest a multi-phase approach that can be implemented in stages and will minimize the impact of changing to a more secure approach. I assume that you have a development environment to test in and the support of a manager who is interested and will support the effort.
- use the existing Oracle audit logging to start logging when users logon and logoff.
- after a period of time consistent with usage (90 days for a fiscal quarter?, a year end?) identify the unused accounts and lock them
- identify any service accounts that are not used by people to log on.
- identify the remaining accounts and try to link usernames to people to job roles
- create Oracle profiles for service accounts, read only accounts and more privileged user accounts
- set password expiration, complexity, reuse, failed attempts before lockout for these profiles. For example you may decide that service accounts should never change their password but that it should be 24 characters and only one failed attempt before lockout whereas a person's password should only be 8 characters with three failed attempts before lockout.
- one by one reassign accounts to the correct profile and force a password change
- at the same time look at creating roles that grant only enough privileges for accounts to do their job and assign the roles.
This is just the tip of the iceberg for securing the database. The level of effort you put in should be commensurate with the potential damage if the information in the database were breached.
answered May 16 at 17:53
kevinskykevinsky
3,2342145
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
add a comment |
I suggest a multi-phase approach that can be implemented in stages and will minimize the impact of changing to a more secure approach. I assume that you have a development environment to test in and the support of a manager who is interested and will support the effort.
- use the existing Oracle audit logging to start logging when users logon and logoff.
- after a period of time consistent with usage (90 days for a fiscal quarter?, a year end?) identify the unused accounts and lock them
- identify any service accounts that are not used by people to log on.
- identify the remaining accounts and try to link usernames to people to job roles
- create Oracle profiles for service accounts, read only accounts and more privileged user accounts
- set password expiration, complexity, reuse, failed attempts before lockout for these profiles. For example you may decide that service accounts should never change their password but that it should be 24 characters and only one failed attempt before lockout whereas a person's password should only be 8 characters with three failed attempts before lockout.
- one by one reassign accounts to the correct profile and force a password change
- at the same time look at creating roles that grant only enough privileges for accounts to do their job and assign the roles.
This is just the tip of the iceberg for securing the database. The level of effort you put in should be commensurate with the potential damage if the information in the database were breached.
answered May 16 at 17:53
kevinskykevinsky
3,2342145
I suggest a multi-phase approach that can be implemented in stages and will minimize the impact of changing to a more secure approach. I assume that you have a development environment to test in and the support of a manager who is interested and will support the effort.
- use the existing Oracle audit logging to start logging when users logon and logoff.
- after a period of time consistent with usage (90 days for a fiscal quarter?, a year end?) identify the unused accounts and lock them
- identify any service accounts that are not used by people to log on.
- identify the remaining accounts and try to link usernames to people to job roles
- create Oracle profiles for service accounts, read only accounts and more privileged user accounts
- set password expiration, complexity, reuse, failed attempts before lockout for these profiles. For example you may decide that service accounts should never change their password but that it should be 24 characters and only one failed attempt before lockout whereas a person's password should only be 8 characters with three failed attempts before lockout.
- one by one reassign accounts to the correct profile and force a password change
- at the same time look at creating roles that grant only enough privileges for accounts to do their job and assign the roles.
This is just the tip of the iceberg for securing the database. The level of effort you put in should be commensurate with the potential damage if the information in the database were breached.
answered May 16 at 17:53
kevinskykevinsky
3,2342145
answered May 16 at 17:53
kevinskykevinsky
3,2342145
answered May 16 at 17:53
kevinskykevinsky
3,2342145
answered May 16 at 17:53
kevinskykevinsky
3,2342145
3,2342145
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
add a comment |
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
You bring up many good points here. We do have a test environment and yes my manager will support this. Thanks again.
– ImaginaryHuman072889
May 16 at 19:38
add a comment |
The reason why your trigger does not work for users like SYS or SYSTEM is because they have the ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe.
So, the answer is: no, you cannot prevent login for such users - at least not with a login trigger.
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
add a comment |
The reason why your trigger does not work for users like SYS or SYSTEM is because they have the ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe.
So, the answer is: no, you cannot prevent login for such users - at least not with a login trigger.
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
add a comment |
The reason why your trigger does not work for users like SYS or SYSTEM is because they have the ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe.
So, the answer is: no, you cannot prevent login for such users - at least not with a login trigger.
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
The reason why your trigger does not work for users like SYS or SYSTEM is because they have the ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe.
So, the answer is: no, you cannot prevent login for such users - at least not with a login trigger.
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
answered May 16 at 20:05
Wernfried DomscheitWernfried Domscheit
1,312612
1,312612
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
add a comment |
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
Thanks, I figured there was a failsafe, otherwise it would be possible for everyone to be completely locked out. You say that there is no way to prevent a login for these users with a login trigger. Is there another way to accomplish this?
– ImaginaryHuman072889
May 17 at 11:23
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
If there were any way at all to prevent SYS from connecting, then there would be a way to lock everyone out, rendering the database totally and 100% non-accessible. You can (and probably should) prevent SYS from connecting via TNS, but that does not require a trigger.
– EdStevens
May 17 at 13:05
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
In general, if a user has valid credentials then he can connect to the database. That's the point where you have to embark.
– Wernfried Domscheit
May 17 at 13:23
add a comment |
Thanks for contributing an answer to Database Administrators Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f238350%2flock-out-of-oracle-based-on-windows-username%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
A trigger is not going to change the security nightmare that "all of the logins for this database have the same password" is.
– kevinsky
May 16 at 17:41
@kevinsky In that case, it probably is better to just change the passwords and deal with the impacts. I guess the easiest solution isn't always the best.
– ImaginaryHuman072889
May 16 at 17:43
1
BTW: the osuser is (if you don’t use Kerberos or Similiar methods) only advisory (the driver can send any name it likes) so it is really not a good security mechanism and having strictly separate passwords is the way to go.
– eckes
May 16 at 20:24
@eckes Thanks, yes I understand this is not an air-tight plan. But our users are not very tech-savvy, so 1) they probably wouldn't be aware that they were being locked out based on username (they would probably just think the password changed), and 2) even if they knew that, I doubt they would know about this workaround that you are pointing out here.
– ImaginaryHuman072889
May 17 at 11:35
At least you should change the password for the high-privileged user like SYS or SYSTEM
– Wernfried Domscheit
May 17 at 13:17