Comments on: Proxy Users

By: ram

ram — Thu, 23 Feb 2012 22:17:43 +0000

Dennis, what is your Oracle version ?

By: Dennis

Dennis — Mon, 20 Feb 2012 13:38:36 +0000

I did as below but I am getting while connecting thrugh proxy, Anyone can help? [sourcecode] SQL> create user proxy_user 2 identified by pw_proxy 3 default tablespace users 4 temporary tablespace temp; User created. SQL> create user target_user 2 identified by pw_target 3 default tablespace users 4 temporary tablespace temp 5 quota unlimited on users; User created. SQL> alter user target_user grant connect through proxy_user; User altered. SQL> grant create session, 2 create table 3 to target_user; Grant succeeded. SQL> connect target_user/pw_target@dev Connected. SQL> create table targets_table ( 2 col varchar2(10) 3 ); Table created. SQL> insert into targets_table values ('foo'); 1 row created. SQL> connect proxy_user[target_user]/pw_proxy@dev ERROR: ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE. [/sourcecode] ========================== Thanks

By: tas_gibbs

tas_gibbs — Thu, 30 Jun 2011 16:04:08 +0000

Can you have a proxy user that owns objects? If so, will this proxy user allow users to query their own data in addition to the proxied id?

By: BI Publisher 10.1.3.2 and VPD « Business Intelligence - Oracle

BI Publisher 10.1.3.2 and VPD « Business Intelligence - Oracle — Mon, 23 Jul 2007 14:27:08 +0000

[...] on July 23rd, 2007. I was going through an interesting post by Jonathan Lewis on Proxy Authentication that is available for end users via Sql Plus in 10g R2. This post made me think about the [...]

By: Philip Douglass

Philip Douglass — Fri, 13 Jul 2007 17:39:46 +0000

Is it possible to use SQL*Plus to connect to an “authentication required” proxy user? The form ‘sqlplus appuser[enduser]/apppassword’ works for normal proxy users, but if proxy authentication is required, the form ‘sqlplus appuser[enduser/endpassword]/apppassword’ is a syntax error.

By: Jonathan Lewis

Jonathan Lewis — Tue, 19 Dec 2006 21:03:14 +0000

Michel, Good point about the end_user account not needing a valid password. My strategy for blocking the end-user from any access to the data is to have an application role protected by a call to a packaged procedure that checks the sys_context(‘userenv’,'proxy_user’) to check that a user had connected legally through the application.
I’ve left the application_user with the ability to create a session so that it could prepare (global) contexts for the end_user before creating a session for them.

By: Laurent Schneider » Blog Archive » su in sqlplus

Laurent Schneider » Blog Archive » su in sqlplus — Tue, 19 Dec 2006 09:25:06 +0000

[...] Thanks to Jonathan Lewis post today Proxy Users, I could imagine using the proxy functionality in sqlplus to do a su [...]

By: Mathew Butler

Mathew Butler — Tue, 19 Dec 2006 08:57:32 +0000

I forgot to thank you for sharing this one! Its good to see we can now do this directly from sql.

Ive just started working with 10.2 and still have the new features guide on my to do list. Notes like this enthuse me to read the docs again.

mat.

By: Mathew Butler

Mathew Butler — Tue, 19 Dec 2006 08:50:29 +0000

I’ve typically seen this feature talked about in an n-tier environment when the application connects to the database via an application server and the application server connects to the database as the same user for all connections. Using this feature means that proper auditing of the real connecting user may take place as you suggest. It also makes for more efficient re-use of JDBC pooled connections and may simplify the pooled connection setup.

As Michel says; I believe that your demo may also work with less privileges for the reasons stated.

You allude to another possible use; testing performance for a specific user without requiring their password. Is this just a convenience or is there more to this? Would you care to say a few more words?

Regards.

By: Michel Cadot

Michel Cadot — Tue, 19 Dec 2006 08:13:26 +0000

Great to know that we can now do it in SQL*Plus.
Just two remarks: application_user does not need to have been granted “create session”, just end_user needs to; end_user does not need to have a valid password.
I think this is one of the purposes of proxy users: end_user can connect only through application which is the only one to know the password of application_user.