Yet another undocumented feature allows to define application schemas
which can only be accessed through a proxy user, it makes a very usefull to
assure that no user connects directly to application schema even by knowing its
password.
Here is how it works:
demo@XEPDB1>
create user app_user identified by "app_user";
User created.
demo@XEPDB1>
grant create session to app_user;
Grant
succeeded.
demo@XEPDB1>
conn app_user/app_user@pdb1
Connected.
app_user@XEPDB1>
show user
USER is
"APP_USER"
demo@XEPDB1>
create user my_user identified by "my_user";
User created.
demo@XEPDB1>
grant create session to my_user;
Grant
succeeded.
demo@XEPDB1>
alter user app_user grant connect through my_user;
User altered.
demo@XEPDB1>
conn my_user/my_user@pdb1
Connected.
my_user@XEPDB1>
show user
USER is
"MY_USER"
my_user@XEPDB1>
conn my_user[app_user]/my_user@pdb1
Connected.
app_user@XEPDB1>
show user
USER is
"APP_USER"
app_user@XEPDB1>
conn demo/demo@pdb1
Connected.
demo@XEPDB1>
alter user app_user PROXY ONLY CONNECT;
User altered.
demo@XEPDB1>
conn app_user/app_user@pdb1
ERROR:
ORA-28058:
login is allowed only through a proxy
Warning: You
are no longer connected to ORACLE.
demo@XEPDB1>
conn my_user[app_user]/my_user@pdb1
Connected.
app_user@XEPDB1>
show user
USER is
"APP_USER"
app_user@XEPDB1>
conn demo/demo@pdb1
Connected.
demo@XEPDB1>
select username,proxy_only_connect
2 from
dba_users
3
where username ='APP_USER';
USERNAME P
--------------------
-
APP_USER Y
demo@XEPDB1>
the syntax to revoke this change is:
demo@XEPDB1>
alter user app_user cancel proxy only connect;
User altered.
demo@XEPDB1>
select username,proxy_only_connect
2 from
dba_users
3
where username ='APP_USER';
USERNAME P
--------------------
-
APP_USER N
demo@XEPDB1>
conn app_user/app_user@pdb1
Connected.
app_user@XEPDB1>
show user
USER is
"APP_USER"
app_user@XEPDB1>
No comments:
Post a Comment