Today I had a situation at my client’s place which I need to tackle as soon as possible and I did tackle it nicely.
I think so…….
Any way let me explain the situation and how I tackle it.
Lets assume there are two database one is prod (live one) and another one dev (development).
There came a request from one non oracle developer that he want to have a readonly access to the “production_note” table in prod database as he wanted to access live data of “production_note” table.
In normal situation if it was development environment then I would have done following:
Login into SQL*Plus as SYSTEM in “prod” database
SQL> connect system/system
Connected.
SQL> create user production identified by production default tablespace users;
User created.
SQL> grant connect, resource to production;
Grant succeeded.
SQL> connect actual_user/actual_user
Connected.
SQL> grant select on production_notes to production;
Grant succeeded.
SQL> connect production/production
Connected.
SQL> create synonym production_notes for actual_user.production_notes;
Synonym created.
Then give him access to this new user.
But now here situation is different.I have security by IP addresses in “prod” database. Only Oracle Application Server and “dev” database server can access the “prod” database and I don’t want to give access to IP address of this developer’s machine. If I do so it might open some loop hole in security infra of my client.
So to tackle this situation I did as follows:
First I did same as above in “Prod” database.
Then I Login into SQL*Plus as SYSTEM in “dev” database
SQL>CREATE PUBLIC DATABASE LINK prod_remote
2 CONNECT TO production IDENTIFIED BY production
3 USING ‘biz11′;
Database link created.
SQL> create user production identified by production default tablespace users;
User created.
SQL> grant connect, resource to production;
Grant succeeded.
SQL> CREATE SYNONYM production_notes
2 FOR production.production_notes;
Synonym created.
Then I just gave him access to this new user in “dev” database without making things complicated for this non oracle user.
Thats it, Mission Accomplished
I hope this post will help somebody and offcourse me as a reference material for future!
4 responses so far ↓
1 Dominic Brooks // Aug 9, 2009 at 3:16 am
Hmm. Trouble is the developer has full access to the production schema. You might have given them a local synonym but they have the full rights of the user that the database link connects as.
If that doesn’t open up a security loop hole in the security infra of your client, I don’t know what does
2 Dominic Brooks // Aug 9, 2009 at 3:17 am
Or, have I misunderstood? The user which the database link connects as only has select on the production_notes table in production? I guess that’s acceptable.
3 rajs // Aug 11, 2009 at 12:47 pm
Yes!
See Dominic what I did is that I first created one dummy Schema in Production Server and gave right of “select” from actual Schema to dummy Schema on selected table (created Synonym too).
Then only I exposed dummy Schema to dummy Schema of Development Server through DB Link. In addition I only allowed this Development Server be able to connect to Production Server through change in SQLNet (in production server) not the developer machine.
4 Oracle // Jul 30, 2010 at 2:05 am
Very informative..database link.
JustOracle.com
Leave a Comment