Home » RDBMS Server » Security » How to stop self password rotation ? (oracle 11gr2 linux 6.2 ( Amazon rds ) )
How to stop self password rotation ? [message #628167] Thu, 20 November 2014 14:30 Go to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Team,

The profile setting PASSWORD_VERIFY_FUNCTION is set to NULL value, we are not using any verify function and at the same time, we would like to stop the self password rotation using alter user command.

>show user
u001
alter user u001 identified by "Password123#";

Is there any alternate way to achive this without using password verify function in the profile for the above user ?

We are using Amazon RDS Oracle instance. We don't have access to SYS and cannot edit those password verify function which is available in rds instnace.

Regards,
siva
Re: How to stop self password rotation ? [message #628171 is a reply to message #628167] Thu, 20 November 2014 15:05 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Use PASSWORD_REUSE_MAX parameter of profile.

SQL Reference
PASSWORD_REUSE_MAX specifies the number of password changes required before the current password can be reused.

Re: How to stop self password rotation ? [message #628173 is a reply to message #628171] Thu, 20 November 2014 15:14 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,

PASSWORD_REUSE_MAX - defines the number of password changes required. We have currently set PASSWORD_REUSE_MAX = UNLIMITED & PASSWORD_REUSE_TIME = UNLIMITED. We would like to reuse the same password and hence this settting. Keeping a non-zero value to eigher of this parameter and rest is set to UNLIMITED -> will force the password cannot be reused.

As per your below message, what value I can configure at this point of time. if end user trying to rotate their own password, they should get error.

Please advise.

Thank you very much
Re: How to stop self password rotation ? [message #628179 is a reply to message #628173] Thu, 20 November 2014 16:59 Go to previous messageGo to next message
EdStevens
Messages: 1376
Registered: September 2013
Senior Member
kesavansundaram wrote on Thu, 20 November 2014 15:14

We would like to reuse the same password


if end user trying to rotate their own password, they should get error.


Sounds self-contradictory to me.
Please explain what you think you want to achieve, and WHY you want to achive that. What PROBLEM are you trying to solve? WHY do you not want the user to "rotate" their password? Exactly what do you mean by "rotate" the password? Prevent any change? Prevent changing to something then back to its existing value?
Re: How to stop self password rotation ? [message #628192 is a reply to message #628173] Fri, 21 November 2014 01:37 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

If you want the password to never been reused then:
SQL> create profile prf limit PASSWORD_REUSE_TIME 0.00001 PASSWORD_REUSE_MAX UNLIMITED;

Profile created.

SQL> create user test identified by test profile prf;

User created.

SQL> grant create session to test;

Grant succeeded.

SQL> conn test/test
Connected.
TEST> alter user test identified by test;
alter user test identified by test
*
ERROR at line 1:
ORA-28007: the password cannot be reused


TEST> alter user test identified by test1;

User altered.

TEST> alter user test identified by test2;

User altered.

TEST> alter user test identified by test3;

User altered.

TEST> alter user test identified by test4;

User altered.

TEST> alter user test identified by test5;

User altered.

TEST> alter user test identified by test6;

User altered.

TEST> alter user test identified by test7;

User altered.

TEST> alter user test identified by test8;

User altered.

TEST> alter user test identified by test9;

User altered.

TEST> alter user test identified by test;
alter user test identified by test
*
ERROR at line 1:
ORA-28007: the password cannot be reused

Re: How to stop self password rotation ? [message #628230 is a reply to message #628179] Fri, 21 November 2014 09:13 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,

reusing the same password is not my actual question. Yes,we can restricting user to reuse same password.

my question is -

I need to restrict user to change their own password. In below, "u001" changing his own password. We need to restrict that. U001 should not be able to change his password. In our user management model, we have given option to change the password in our vpcx console. In the backend, below "alter user" command is getting executed by
rds master user ( in AWS, SYS is restricted and instead this master user is given to customer ). For every db user, our vpcx team maintains metadata which includes the password. At this time, if u001 connects datbase and changes his password, then new password will not be in sync with metadata. This is what we have implemnted as per our client requriement and hence would like to restrict below action

>show user
u001
alter user u001 identified by "Password123#";

Please advise is there any way to restrict ? (password verify funtion is not associated with the profile for this user "u001" because our vpcx team genrate the password randomly ) .

Thank you
kesavan

Re: How to stop self password rotation ? [message #628234 is a reply to message #628230] Fri, 21 November 2014 09:19 Go to previous messageGo to next message
gazzag
Messages: 1118
Registered: November 2010
Location: Bedwas, UK
Senior Member
Don't let them connect to the database with a client that enables them to change their password then.
Re: How to stop self password rotation ? [message #628239 is a reply to message #628230] Fri, 21 November 2014 09:52 Go to previous messageGo to next message
EdStevens
Messages: 1376
Registered: September 2013
Senior Member
kesavansundaram wrote on Fri, 21 November 2014 09:13
For every db user, our vpcx team maintains metadata which includes the password.


Without knowing any more, THAT is a security violation. For what purpose are users' passwords kept. When I create a new user, I purposely immediately expire their account. This forces them to change their password the next time they log on, thus preventing me or anyone else from knowing their password.

I once cancelled my membership on a very well known website (which shall remain nameless) because when I called for some technical support, they were able to tell me what my current password was. I knew that if they were able to see my password, so could anyone else who was motivated enough.
Re: How to stop self password rotation ? [message #628241 is a reply to message #628230] Fri, 21 November 2014 10:13 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator


Quote:
my question is -

I need to restrict user to change their own password.


So why didn't you tell us in these words?

You can restrict them using a database trigger but Ed invaluably pointed the drawbacks of your model.
User password must be known by user himself, ONLY.
Why do you think any other team has to know it?
In addition, even if they encrypt it, they are able to decrypt it (otherwise what could be the purpose?) and so someone else, a not authorized one, will be able to know it and hack your application.

Not only the use should be able to change his password, but he must be constrained to do it regularly.

Re: How to stop self password rotation ? [message #628245 is a reply to message #628241] Fri, 21 November 2014 13:25 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Thank you Mike

I am checking to implement trigger. i am sure the password is not shared to any other team. Only accoutn owner can see the password and change it at any point of time and shares the new password to the user. User creation, drop, password reset & unlock - these action are done by accoutn owner ( for all users in that account ) and hence we want to restrict the password change by own. it should be done only by account owner ( in the backend, we use master user to do any action done by account owner )

Thank you very much
kesavan
Re: How to stop self password rotation ? [message #628246 is a reply to message #628245] Fri, 21 November 2014 13:30 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
it should be done only by account owner


Why?

Quote:
Only accoutn owner can see the password


If he can see then many can.
Why do you need to store the password? What do you do with it?

[Updated on: Tue, 07 April 2015 15:08]

Report message to a moderator

Re: How to stop self password rotation ? [message #628248 is a reply to message #628245] Fri, 21 November 2014 15:33 Go to previous messageGo to next message
EdStevens
Messages: 1376
Registered: September 2013
Senior Member
kesavansundaram wrote on Fri, 21 November 2014 13:25
Only accoutn owner can see the password


And how is that guaranteed?

You might want to ask the IT guys at Home Depot about security.


And it still comes down to business policy. WHY are users not allowed to change their own passwords? You've described (somewhat) what the policy/procedure IS at your organization, but you haven't explained WHY that procedure is in place. It may be the organization's policy/procedure, but it still appears to be a mis-guided, ill-conceived policy/procedure.

Re: How to stop self password rotation ? [message #628378 is a reply to message #628246] Mon, 24 November 2014 10:30 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,
As per client requirement, it is designed in that way. Accoutn owner maintains password roatation ( from his console ) for all users in his account.

I have further written below trigger. This triggers 100% stops all user ( other than rds master user ) from changing their own password. But since this is BEFORE type trigger and event is ALTER and ora_dict_obj_type = 'USER', this trigger gets executed and gives below error even if any user having ALTER USER permission and trying to change default tablespace using ALTER USER command. This trigger should get execute only for password change using ALTER USER command..

create or replace trigger alter_pwd_trigger
 before alter
 on database
 declare
 begin
 if (ora_dict_obj_type = 'USER') and ( ora_dict_obj_name != 'RDS_MASTER_USER')  then
 raise_application_error(-20010,'you cannot change your own password');
 end if;
 end;
 /
for e.g. as rds master user, I granted ALTER USER permssion to one user "TEST01". Further TEST01 connects database and execute below,

TEST01 trying to change own password, but due to trigger, it fails:

SQL> show user
USER is "TEST01"
SQL> alter user test01 identified by "Test5523#";
alter user test01 identified by "Test5523#"
                              *
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20010: you cannot change your own password
ORA-06512: at line 5
TEST01 trying to set default tablespace for another user u101, but gives same error as per trigger which is to be avoided and it should allow to change the tablespce.


SQL> alter user u101 default tablespace schema1_tblspace;
alter user u101 default tablespace schema1_tblspace
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20010: you cannot change your own password
ORA-06512: at line 5
could you please guide me to achive this ?

Thank you
kesavan
Re: How to stop self password rotation ? [message #628379 is a reply to message #628378] Mon, 24 November 2014 11:23 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

You have to test the actual statement.
See ora_sql_txt

Re: How to stop self password rotation ? [message #628645 is a reply to message #628379] Wed, 26 November 2014 13:41 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,
Thank you very much for providing link to refer.

Now I have written below trigger and this trigger does the check as expected. But I need to protect this trigger from other users.
Any DB users ( other than MASTERUSER ) shuld not be able to execute CREATE / ALTER / DROP commands against this trigger. If anyone tried, then I need to raise error to them even if the user has CREATE ANY TRIGGER, ALTER ANY TRIGGER & DROP ANY TRIGGER privileges.

create or replace trigger alter_pwd_trigger
   before alter
   on database
   declare
   begin
     if ( ora_sysevent='ALTER') and (ora_dict_obj_type = 'USER') and ( ora_des_encrypted_password is not null ) then
            if ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) and ( ora_dict_obj_name = 'MASTERUSER')   then
		         raise_application_error(-20010,'you cannot change rds master user password');
            elsif ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) and ( ora_dict_obj_name NOT IN ('MASTERUSER','SYS','SYSTEM','RDSADMIN' )) then
                          raise_application_error(-20010,'you cannot change your own password or others password');
          end if;
     end if;
 end;
 /

--below trigger i have written, it is not working as expected:

create or replace trigger protect_alter_pwd_trigger
before create or atler or drop on database
declare
begin
      IF (ora_login_user != 'MASTERUSER')  THEN
           if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then 
            raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
           END IF;
     end if;
END;
/
could you please guide me ? if the user connected DB is other than MASTERUSER, and if they tried to attempt CREATE/ALTER/DROP commands against the trigger 'ALTER_PWD_TRIGGER' - then error should come .

Thank you
kesavan

[Updated on: Wed, 26 November 2014 13:44]

Report message to a moderator

Re: How to stop self password rotation ? [message #628651 is a reply to message #628645] Wed, 26 November 2014 14:16 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

What does mean " it is not working as expected:"?
For me, there is at least one syntax error.

Re: How to stop self password rotation ? [message #628655 is a reply to message #628651] Wed, 26 November 2014 14:57 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,

There is one user TEST01. DROP ANY TRIGGER is granted to this user. After creating belwo trigger, it should give error as per the trigger. since ora_login_user is TEST01, error should get raise. I created another user TEST02 and I did not grnat DROP ANY TRIGGER permisison to TEST02. h'ever when TEST02 connect and tried to drop the trigger ALTER_PWD_TRIGGER, it gives insufficient privilege error instead of the error specified in the trigger "protect_alter_pwd_trigger".

SQL> show user
USER is "TEST01"
SQL> drop trigger masteruser.alter_pwd_trigger;

Trigger dropped.

create or replace trigger protect_alter_pwd_trigger
before create or atler or drop on database
declare
begin
      IF (ora_login_user != 'MASTERUSER')  THEN
           if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then 
            raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
           END IF;
     end if;
END;
/


Please guid me on the syntax error if any.

Thank you
Re: How to stop self password rotation ? [message #628656 is a reply to message #628655] Wed, 26 November 2014 15:03 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
Please guid me on the syntax error if any.


atler

Re: How to stop self password rotation ? [message #628662 is a reply to message #628656] Wed, 26 November 2014 15:54 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Mike, i corrected that mistake and retried. H'ever error ( as per hte trigger ) is not raised and user who has DROP ANY TRIGGER abel to drop the trigger.

SQL> create or replace trigger protect_alter_pwd_trigger
  2  before create or alter or drop on database
  3  declare
  4  begin
  5        IF (ora_login_user != 'MASTERUSER')  THEN
  6             if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then
  7              raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
  8             END IF;
  9       end if;
 10  END;
 11  /

Trigger created.


SQL> drop trigger masteruser.alter_pwd_trigger;

Trigger dropped.



I tried to print the value of "ora_dict_obj_owner" & "ora_dict_obj_name". but it is not getting printed.
I guess these 2 values not captured. I am not sure for which ora_dict_obj_type, these 2 values can be captured.

or the reason may be as this is a database level trigger, one specific object ( trigger: ALTER_PWD_TRIGGER ) cannot be referenced in this trigger ?


SQL> set serveroutput on
SQL> declare
  2  begin
  3     IF (ora_login_user != 'MASTERUSER')  THEN
  4          if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then
  5             dbms_output.put_line(ora_dict_obj_owner);
  6             dbms_output.put_line(ora_dict_obj_name);
  7           raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
  8          END IF;
  9    end if;
 10  END;
 11  /

PL/SQL procedure successfully completed.
I am checking all the possible values for these 3 events:

ora_dict_obj_name 
ora_dict_obj_owner
ora_dict_obj_type. 
If you have the web url, please share with me. I am also checking now.

\\\\\\\\\\\\\\\\\\\\\
JUST ADDING MY TRACE
\\\\\\\\\\\\\\\\\\\\\

creating one log table and ddl trigger as user TEST01. After creating i am performing CREATE TABLE AND ALTER TABLE and checking informations are captured in log table.



---log table
create table log
  ( operation varchar2(25),
   owner     varchar2(25),
   name      varchar2(25),
  extra     varchar2(4000) );
-- ddl trigger to capture CREATE/ALTER/DROP

create or replace trigger ddl_trigger
    before create or alter or drop on SCHEMA
    declare
        l_sysevent varchar2(25);
    begin
       select ora_sysevent into l_sysevent from dual;
   
       if ( l_sysevent in ('DROP','CREATE') )
       then
           insert into log
          select ora_sysevent, ora_dict_obj_owner,
                       ora_dict_obj_name, null
           from dual;
        commit;
     end if;
 end;
 /


Further i wnated to create one table and check whther it is captured in the log table created above.

create table t ( x int );
alter table t add y int;

select * from log;


---trace

SQL> show user
USER is "TEST01"


SQL> create table log
  2    ( operation varchar2(25),
  3     owner     varchar2(25),
  4     name      varchar2(25),
  5    extra     varchar2(4000) );

Table created.

SQL> create or replace trigger ddl_trigger
  2      before create or alter or drop on SCHEMA
  3      declare
  4          l_sysevent varchar2(25);
  5      begin
  6         select ora_sysevent into l_sysevent from dual;
  7
  8         if ( l_sysevent in ('DROP','CREATE') )
  9         then
 10             insert into log
 11            select ora_sysevent, ora_dict_obj_owner,
 12                         ora_dict_obj_name, null
 13             from dual;
 14          commit;
 15       end if;
 16   end;
 17   /

Trigger created.

SQL> create table t ( x int );

Table created.

SQL> alter table t add y int;

Table altered.
But it is not captured.

SQL> select * from log;

no rows selected

[Updated on: Wed, 26 November 2014 19:01]

Report message to a moderator

Re: How to stop self password rotation ? [message #628679 is a reply to message #628662] Thu, 27 November 2014 00:29 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Quote:
H'ever error ( as per hte trigger ) is not raised and user who has DROP ANY TRIGGER abel to drop the trigger.


I bet you use SYS for this test.

Other test:
SQL> create table log
  2    ( operation varchar2(25),
  3     owner     varchar2(25),
  4     name      varchar2(25),
  5    extra     varchar2(4000) );

Table created.

SQL> create or replace trigger ddl_trigger
  2      before create or alter or drop on SCHEMA
  3      declare
  4          l_sysevent varchar2(25);
  5      begin
  6         select ora_sysevent into l_sysevent from dual;
  7     
  8         if ( l_sysevent in ('DROP','CREATE') )
  9         then
 10             insert into log
 11            select ora_sysevent, ora_dict_obj_owner,
 12                         ora_dict_obj_name, null
 13             from dual;
 14          commit;
 15       end if;
 16   end;
 17   /

Trigger created.

SQL> create table t ( x int );
create table t ( x int )
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-04092: cannot COMMIT in a trigger
ORA-06512: at line 12

So you don't tell all the truth.
Post the result of:
select * from v$version;


Re: How to stop self password rotation ? [message #629467 is a reply to message #628679] Tue, 09 December 2014 09:49 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,

Sorry for the delay. I have written below trigger which works finally. I need to raise custom error message if any user tries to recreate/alter/drop this trigger.

create or replace trigger alter_pwd_trigger
   before alter
   on database
   declare
   begin
     if ( ora_sysevent='ALTER') and (ora_dict_obj_type = 'USER') and ( ora_des_encrypted_password is not null ) then
            if ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM' )) and ( ora_dict_obj_name = 'MASTERUSER')   then
		         raise_application_error(-20010,'you cannot change rds master user password');
            elsif ( ora_login_user NOT IN ('MASTERUSER','SYS','SYSTEM' )) and ( ora_dict_obj_name NOT IN ('MASTERUSER','SYS','SYSTEM' )) then
                          raise_application_error(-20010,'you cannot change your own password or others password');
          end if;
     end if;
 end;
 /




But i am not able to capture this trigger name ( "alter_pwd_trigger" ) as variable ora_dict_obj_name and object type as trigger ( i.e. ora_dict_obj_type = 'TRIGGER' ).



create or replace trigger protect_alter_pwd_trigger
before create or alter or drop on database
declare
begin
      IF (ora_login_user != 'MASTERUSER')  THEN
           if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then 
            raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
           END IF;
     end if;
END;
/
Please guide me.

My oracle version: 11.2.0.4.3 linux 6.3. this is aws rds Oracle instance.

Thank you
kesavan
Re: How to stop self password rotation ? [message #629470 is a reply to message #629467] Tue, 09 December 2014 10:14 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

"i am no able" is not an Oracle error message.
Show us what you have and you have not and expect.

Re: How to stop self password rotation ? [message #629476 is a reply to message #629470] Tue, 09 December 2014 11:02 Go to previous messageGo to next message
kesavansundaram
Messages: 183
Registered: October 2007
Location: MUMBAI
Senior Member
Hi Mike,

i was coming to say the 2nd trigger ( "protect_alter_pwd_trigger" ) is not raising the error message as written inside.

create or replace trigger protect_alter_pwd_trigger
before create or alter or drop on database
declare
begin
      IF (ora_login_user != 'MASTERUSER')  THEN
           if (ora_dict_obj_owner = 'MASTERUSER') and (ora_dict_obj_name = 'ALTER_PWD_TRIGGER')  then 
            raise_application_error(-20010, 'You are not authorized to perform DDL on this trigger..');
           END IF;
     end if;
END;
/
for e.g. if db is connected other than "MASTERUSER" and tried to perform CREATE/ALTER/DROP action agianst the trigger "ALTER_PWD_TRIGGER" owned by "MASTERUSER", then
the error message - 'You are not authorized to perform DDL on this trigger..' should get raise. but it is not getting raised.

I am passing ora_dict_obj_owner = 'MASTERUSER' & ora_dict_obj_name = 'ALTER_PWD_TRIGGER' - which is not being considered. Am I using wrong parameter or ?

Please guide me

Thank you
kesavan
Re: How to stop self password rotation ? [message #629477 is a reply to message #629476] Tue, 09 December 2014 11:21 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Do not tell, SHOW.

Re: How to stop self password rotation ? [message #635733 is a reply to message #629477] Tue, 07 April 2015 14:53 Go to previous messageGo to next message
Bill B
Messages: 1971
Registered: December 2004
Senior Member
Just curious, why not use the password verification function. Simply check who USER is and fail the validation if it is not the MASTER account or SYS or SYSTEM?
Re: How to stop self password rotation ? [message #635936 is a reply to message #635733] Mon, 13 April 2015 07:07 Go to previous messageGo to next message
Roachcoach
Messages: 1576
Registered: May 2010
Location: UK
Senior Member
What happens when someone modifies/drops the trigger protecting the trigger, then changes the trigger?

Are you going to have triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers protecting triggers? Razz

Methinks the whole architectures needs a bit of a rethink...

[Updated on: Mon, 13 April 2015 07:08]

Report message to a moderator

Re: How to stop self password rotation ? [message #635938 is a reply to message #635733] Mon, 13 April 2015 07:09 Go to previous message
Bill B
Messages: 1971
Registered: December 2004
Senior Member
Bill B wrote on Tue, 07 April 2015 15:53
Just curious, why not use the password verification function. Simply check who USER is and fail the validation if it is not the MASTER account or SYS or SYSTEM?

ONCE AGAIN, DON'T USE TRIGGERS. Use a password verification procedure. Only a dba account can alter it.
Previous Topic: Change control for PL/SQL
Next Topic: Kerberos connection to ORACLE DB 11.2.0.4 get refused
Goto Forum:
  


Current Time: Thu Mar 28 09:05:55 CDT 2024