Using a standard plan I have access to the Postgres credentials in Heroku.
https://devcenter.heroku.com/articles/heroku-postgresql-credentials
Am I able to limited user access to running functions only?
I do not wish a user to have ANY other database access.
Related
I need to create a user in an oracle database that only allows connections through JDBC and not through some IDE for example, is this possible?
There's no good, foolproof way to do what you're asking (limit connections based on connection protocol, or other client-side parameters). Any of the session parameters that you could base a database logon trigger or smart application role on can be spoofed or altered to bypass your security filter. The generally accepted approach is to secure a user account's permissions so that it doesn't matter how they connect - their access to and view of the data is always the same.
If you want to limit access just to your application server, do this using firewall rules on the database server that only allow inbound connections from the app server IP on the database port, or (if you have Enterprise Edition) use Oracle Connection Manager to filter access by IP address and Oracle Service Name.
Basically it hard to set this up really securely.
You can use such an approach:
Create DB user with no privileges on Application schema (except for connect)
Grant user password protected ROLE: APP_ROLE. Having access to APP_SCHEMA tables.
In your app, after DB logon execute:
SET ROLE APP_ROLE IDENTIFIED BY "some role's password";
Then execute:
ALTER SESSION SET CURRENT_SCHEMA='APPL_SCHEMA';
So even if anybody know username and password for database, he can connect, but is not allowed to see any data. APP_ROLE's password is hard-coded in your app, or is passed to your app from outer source (config file or databases global context).
So basically you need two passwords to access database data:
user's password
role's password
I am trying to set up tabjolt on one of our tableau servers but i don't have admin access. Using the tabjolt install wizard to connect to a tableau server requires admin access. Is there any way around this?
If not, I may be able to get it temporally, can i set it up via admin so i can run performance tests as another user after that?
tabjolt will require admin access for complete access to Tableau metadata. In the setup docs it states that your admin password will be stored for access to the server. If your admin uses their credentials in the setup process then possibly you could run future tests but I haven't confirmed that.
Other users can be setup to run load tests on their specific workbooks.
Keep in mind that you will also need to be logged into the Windows Server with admin access so tabjolt can access Windows Performance metrics.
tabjolt installation guide
so I have Windows Server 2012 which is running on my virtual machine. I want to have possibility to make anonymous query against LDAP. For example if I'm using software like Softerra LDAP Browser I need to run this program as domain user to be able browse AD groups/users etc. But my point is that I want to be able to do it also as non-domain user(anonymous), or at least using domain user credentials from machine that is not part of the domain.
I was looking for this option in user/group policies, I've grant my user with all privileges that I found - but always with the same result - I was unable to browse LDAP.
So my question is - what have to bet set/changed to be able make anonymous queries against Windows Server LDAP?
I don't know about anonymous queries, but you said that you would also be happy using a domain user from a non-domain machine.
That should work fine. Create a domain user with sufficient privileges to see what you want.
Install a certificate on your LDAP server (or use Kerberos, but that's more annoying on the non-domain machine).
Then do LDAP authentication using the username and password of that domain user.
It works well.
We have a windows application which allow users to connect to SQL using windows authentication.
The problem is the users of that application also have SSMS installed on their desktops so they can also connect to prod db using windows authentication.
Is there any way wherein we can restrict users from accessing prod db using windows authentication on SSMS but they should be able to access windows application from their local system using windows authentication?
If I understand your scenario correctly:
You have an internal local database on Server 'A'
You also have a production database on Server 'A'
Using your custom windows application, users can only see the local non-production databases
However, using SSMS users can see both production and local databases on Server 'A', and you would like only authorized users to be able to see production databases.
If this is the case, what you want to do in SSMS is revoke database view rights to all production databases unless the user is a sysadmin or owner of the database. Run the following on your server:
USE MASTER
GO
DENY VIEW ANY DATABASE TO PUBLIC
GO
After you run the above statement, you will not be able to see any databases in SSMS unless you are a sysadmin or your login is the owner of a database.
Source:https://www.mssqltips.com/sqlservertip/2995/how-to-hide-sql-server-user-databases-in-sql-server-management-studio/
Maybe you could restrict access to your database objects by using application roles ... Msdn: "You can use application roles to enable access to specific data to only those users who connect through a particular application."
We are trying to shape up an old, 2 tier, Delphi based application. It originally uses database authentication, we'd like to transform the db user accounts to global users, so an OID server could perform the authentication instead of the database.
The Delphi program can no longer log into the database if the account is a global user. I'm trying to understand the login protocol, so far without results.
Similar thing happens with SQLDeveloper, I can't connect as a global user. SQLPlus however works with both kinds of users. We checked the information flow with Wireshark. When the dbserver asks back for a password, the SQLPlus sends it, while the SQLDeveloper doesn't send a password when attempting to connect as a global user.
The client sends the application name too in the login request. Is it possible that we have to store the client app name in the LDAP itself?
To connect to Oracle using OID, application must properly configure OCI (Oracle Call Interface). The data access components (which one ?), you are using, must set OCI_ATTR_DISTINGUISHED_NAME session attribute. If that is not done, then you will be not able to connect to Oracle server using ODI and OCI.
You should check your components documentation for this feature. And if it is not implemented, then discuss this issue with the components vendor. Actually, there is not much work to implement, but some work to setup testing environment is required ...