Results 1 to 4 of 4

Thread: User mgmt

  1. #1
    Join Date
    Dec 2003

    Unanswered: User mgmt

    Are there any websites or books I can consult on user mgmt? We are moving to Oracle, and are nervous about setting up users in Oracle. Wouldn't users, then, be able to use an ODBC compliant tool, login, and wreak havoc on the data that may not be allowable through Oracle forms?

    Looking for some insight on the topic.


  2. #2
    Join Date
    Aug 2003
    Where the Surf Meets the Turf @Del Mar, CA
    Provided Answers: 1
    It depends.

    The default Oracle behavior is that user A can not change objects
    owned by user B; unless & until explicitly granted the rights to do so
    by user B.

    If the users do not login as the schema owner, which "owns" the
    application objects, then they will not be able to change anything of

    I suggest you go to
    and read the Concepts manual.

  3. #3
    Join Date
    Sep 2002
    Provided Answers: 1
    It does mean that if user A is granted the delete option on B's table T, then A can use SQL Plus or any other database access method (e.g. ODBC) and delete all records from B.T, subject to any constraints defined in the database. Any security, business rules or other checks built into the Forms-based application are bypassed of course.

    This is not an argument against giving users access to the database other than via your Forms app, rather it is an argument for defining security and data integrity rules correctly in the database, and against relying on application code to do the job.

    My personal definition of an ideal database "application" is one where the user can fire up SQL Plus and perform all their work there, without any possibility of violating security or integrity rules. This could be via select, insert, update, delete statements against tables, or (more easily achieved) via calling packaged procedures (in which case the user may not be granted any insert, update, delete access to the tables). The client application is then merely a user-friendly interface to this application. Apart from the security and integrity considerations this also has the advantage that the very thin client application can be re-written when the next client-side fad comes along with the least amount of work.

    Of course, I have never actually worked on one of my ideal database applications!

  4. #4
    Join Date
    Dec 2003
    Right, we are not as concerned with users modifying objects, as much so as having them modify the data within our table structures.

    I like the idea of encasing all updates, inserts, deletes in stored procedures.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts