Please we are facing big security problem about Informix user which usually login to write and execute query language without password. The problem is that now we are more than one to access database. How to allow any user with a generic username to be authenticate before getting in. The interface used is dbaccess. At the end of the password implementation we should have
- 1= Login with generic username
- 2= enter password requirement
- 3= then enter dbaccess environement
First of all it is not a good practice to have the informix user generally access your applications, because this user is the "super user" be it for all the databases access, be it for the Informix server administration. As you probably know, the more "powerful" the user, the bigger the consequences of an eventual mistake ( drop a database, break a server etc...).
Therefore you must allow other users to run the applications and access the database.
To do this, you need to grant or revoke permissions for named users ( logins in general).
There are different levels of permissions:
1) permissions on databases:
- connect: allows the named user to connect to the database. If the user does not have this permissions, no way to connect. He won't do anything in the database
- resource: allows the named user to connect to the database, create a database and create tables, and to alter or drop the tables he owns
- dba: the strongest permission. Allows the named user to connect + create and drop any database, create, alter and drop any table.
In your case, you should execute this:
dbaccess databasename <<+
revoke connect from public;
grant connect to user1;
grant connect to user2;
or if you have no control on which users will use the application:
dbaccess databasename <<+
grant connect to public;
the informix user will always remain with its "all dba" permissions, but at least other users will be able to select insert update delete in tables, but not to do big mistakes.
According to your question, this is all you need in your case.
Thanks for your quick answer. Please i want to know how to proceed for the following
- In the fisrt case, the generic user who actualy access entirely in the database have to be authenticated before login in. The system should prompt to ask for password knowing that the username is generic
- In the second case, give to each user the possibility to change his own password and therefore he would be authenticated when login. At the same time the audit gays would be able to track all connections made.
Thanks for your help