Are there any websites or books I can consult on user mgmt? We are moving to Oracle, and are nervous about setting up users in Oracle. Wouldn't users, then, be able to use an ODBC compliant tool, login, and wreak havoc on the data that may not be allowable through Oracle forms?
It does mean that if user A is granted the delete option on B's table T, then A can use SQL Plus or any other database access method (e.g. ODBC) and delete all records from B.T, subject to any constraints defined in the database. Any security, business rules or other checks built into the Forms-based application are bypassed of course.
This is not an argument against giving users access to the database other than via your Forms app, rather it is an argument for defining security and data integrity rules correctly in the database, and against relying on application code to do the job.
My personal definition of an ideal database "application" is one where the user can fire up SQL Plus and perform all their work there, without any possibility of violating security or integrity rules. This could be via select, insert, update, delete statements against tables, or (more easily achieved) via calling packaged procedures (in which case the user may not be granted any insert, update, delete access to the tables). The client application is then merely a user-friendly interface to this application. Apart from the security and integrity considerations this also has the advantage that the very thin client application can be re-written when the next client-side fad comes along with the least amount of work.
Of course, I have never actually worked on one of my ideal database applications!