Skip to Main Content
  • Questions
  • Running Multiple Databases on the Server

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Shailesh.

Asked: January 27, 2001 - 11:31 am UTC

Last updated: January 14, 2013 - 1:10 pm UTC

Version: Oracle 8.0.5

Viewed 1000+ times

You Asked

Dear Tom,

Thanks again for your prompt reply.

I have just discussed this with our managers, and we do agree that next time onwards we shall have an Oracle DBA assisting us right from the start of a project.

Thank You also for telling me to use only 1 instance.

I shall try this in the next few days.

But, i guess that you did not answer to the second part of the email, which i am repeating here -

"Also, the user for the Accounts program at the Oracle server -
is only one user which has DBA rights. And this user being used
by everybody accesing the Accounts data. is it better to have
separate users even for the Accounts program? Also, some of
these users would also be using the Enquiry application, how
should we configure the same user to access both the data?"

For example if the user name on the Oracle server owning the Accounts database objects is - SHAILESH. Then all users are accessing SHAILESH user from the VB6.0 application.

We have an ODBC Connection connecting to user SHAILESH on the Oracle Server. And this ODBC connection settings is configured on all workstations. The VB 6.0 applcication connects through this ODBC connection to access the data of the Accounts program.

Is this configuration ok, or do you feel that i should configure the ODBC connections based on the user accesing the program (i.e. Tom could have a user space on the server, and if Tom logins to the VB6.0 application then it would connect to Tom's table space, and similarly for other users.) Do you think that this would help improve performance in some way?

Thank You for your help.As for your 2 cents - i would give you something more than that - A lot of blessings, for helping us.
Thank You. if you anytime plan to visit Thailand, please let me know.

Best Regards,

Shailesh



and Tom said...

Sorry, I didn't see that part, i concentrated on the first part.

The above situation is very very bad. Terrible. A DBA has extremely powerful privileges. In your installation, I could fire up any GUI database tool I wanted, connect over that odbc connection, and do anything i wanted to any object i wanted to.

It is, in my opinion, a security hole big enough to fly the space shuttle through -- 10 of them across even.

What I suggest is

o you immediately change the password for this account, disabling all access to it except by valid users.

o setup another account, say "APPLICATION". Grant CREATE SESSION and CREATE SYNONYM to this account only for now. Nothing else.

o in the SHAILESH account, grant the barest minimal set of priveleges the people need on the tables. For example, if people should only QUERY table T and use a procedure X to insert/update it --

GRANT SELECT ON T to APPLICATION
GRANT EXECUTE ON X to APPLICATION

do not "over" grant -- don't give them insert or anything on a table if they do not ABSOLUTELY need it.

o in the APPLICATION schema, now create synonyms for all of the objects

CREATE SYNONYM T for SHAILESH.T
CREATE SYNONYM X for SHAILESH.X



Now, change your ODBC connection setup to connect as application/application.

that is step #1. Now you have at least made it so that your end users cannot accidently drop your tables or really do some serious damage. It is not optimal but it is something you can do right now, right away.

Now, as you move on into to future, you should figure out how to use multiple schemas (i am sure that every end user does not need access to every object -- you probably have some set of roles). These schemas would be setup like application above -- with the barest minimal set of privs to do their job. People would start using these schemas instead of all in one. You might have a "clerk" schema, an "admin" schema , a "manager" schema and so on -- each with different capabilities.


To take this further, you would start removing the ability to insert/update/delete tables from the application. You would move ALL of that logic into stored procedures. Now end users must use your logic to change the data, they cannot log in using sqlplus or any other ODBC tool and doing direct inserts/updates/deletes. You would create these procedures, grant execute on them to the appropriate schemas and then REVOKE insert/update/delete on these objects from these schemas.

To take this yet further, you would do the same to queries. Instead of having the query in the application -- the application calls a procedure that returns a ref cursor (see
</code> http://asktom.oracle.com/~tkyte/ResultSets/index.html <code>
for examples). Now, you can remove SELECT priv on tables as well. They must go through your application to query the data. You could create reporting views and what not in the SHAILESH schema and grant select on them to the correct schemas but in general, the queries the application does are stored in stored procedures.

Now, when you find a bug -- you fix the procedure. All applications are IMMEDIATELY updated. Tune a query -- fix the procedure and all applications are IMMEDIATELY updated. No more do you have to install and reinstall and reinstall for patches and such. Your system will be more secure, more robust and easier to maintain and tune.


Rating

  (4 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Great Explanation ..

Vikas Sharma, November 27, 2002 - 7:01 am UTC

hi Tom ,

A usual Great Explanation .. from tom.

Regards,

Vikas Sharma

Export Database

Srinivas M, August 23, 2006 - 10:55 am UTC

Hi Tom,

That was useful. But i have a small concern. I give the scenario as follows. I have a development schema that has all the objects (tables,stored procedures, functions) created in them. I create another user for application access and i grant all permissions on each table to the application user(this is needed since the application relies on dynamic sql), create synonyms for all the objects. Please let me know how do i deploy the same at the client place.

Thanks

Tom Kyte
August 27, 2006 - 3:45 pm UTC



you would use your installation scripts of course? You have those right?

link

Ahmad Al-Sallal, January 10, 2013 - 12:11 am UTC

Hi Tom,
Would you send the new link for http://asktom.oracle.com/~tkyte/ResultSets/index.html

Thanks in advance

link

Ahmad Al-Sallal, January 10, 2013 - 3:31 am UTC

Tom Kyte
January 14, 2013 - 1:10 pm UTC

yes

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library