Logon Triggers As A Security Mechanism

I’d like to get people's opinions on an idea that's been proposed by my organization's architecture team.
I work in a rapid development environment with an extensive database code base.  A good amount of DDL, Code Complication, and adhoc DML occurs on a weekly basis. 
Currently, we do not share database passwords with anyone.  Our process is far from optimal and the passwords can, at times, land in the hands of developers; but, for the most part, we do our best to keep the passwords secure. We have 20+ databases with 100+ applications and 400+ developers.
The proposed approach from the architecture team involves the sharing of database passwords with development teams, and the use of logon triggers as our security mechanism.  The logon trigger would allow the logon when it’s coming from an approved program/module & host, and would throw an error and block the logon for unapproved.
What’s your opinion of this proposal?  Has anyone ever seen the approach before?  If so, was it successful?

As others have pointed out, the proposal clearly decreases security.  The question is, though, is that the goal?  Is the trade-off of less security worth whatever it is you gain?
You haven't told us anything about the problem you're trying to solve.  You've merely told us the solution that some other team proposed.  Without knowing what the problem is, it's hard to make any guesses about appropriate trade-offs, whether there are alternatives that haven't been discussed, etc.
I've certainly seen situations where there were human bottlenecks in getting code changes applied to development environments that caused developers to do things like re-implement database functionality in the middle tier or overload a column just to avoid the hassle putting a request in to the DBA group to promote the PL/SQL change.  This sort of thing can quickly turn an application into an unmaintainable pile of spaghetti code.  If that's the problem you face today and you can't add additional human resources to relieve the promotion bottleneck, that may be a reasonable trade-off.
By the same token, I've seen plenty of situations where developers had way too much power to accidentally screw up the shared environment by testing a script that inadvertently deleted a bunch of data or that otherwise broke everyone else's code.  That sort of environment can easily make the DBA group more of a bottleneck as now everyone is waiting on the DBA to restore a ton of data rather than to just run a script. 
I've seen login triggers used to add security where the goal was to keep honest people from making an honest mistake.  For example, I've used login triggers in situations where I wanted to prevent myself (or someone else) from inadvertently accessing the wrong environment accidentally.  It's relatively easy to circumvent a login trigger so the question becomes whether you are trying to deal with active attackers or human error.  If you've got a database of sensitive financial information and you've spent oodles of time and effort to encrypt the data in prod and mask the data in the lower environments, using a login trigger will barely phase a developer from being able to log in and steal all the data you've stored.  On the other hand, if you've got a database that doesn't have a lot of sensitive information and your lower environments already contain a complete copy of prod that gets refreshed without masking periodically, you may not be overly concerned that a rogue developer would want to access production to steal some data.  That doesn't protect you from the rogue developer that wants to cripple the system out of revenge, of course, but that's likely to be less of a concern to different companies. 
As with all things, it's a matter of figuring out what problem you're trying to solve and figuring out what trade-offs you're willing to make.
Justin

Similar Messages

  • RSA1 Error during the retrieval of the logon data stored in secure storage

    Hi Gurus,
    when i go and check Source system the connection is OK, and RFC's from BI to R/3  and R/3 to BI is OK (including Authentication).
    but when i go and check Info provider there one customized object ZDTSYS01 is there when i check and and activate it it is giving error as below.
    All DDIC objects have been activated / deleted
    Post Processing/Checking the Activation for DataStore Object ZDTSYS01
    Creating Export DataSource and dependent Objects
    The creation of the export DataSource failed
    Reading the Metadata of ZDTSYS01 ...
    Creating DataSource 8ZDTSYS01 ...
    Error during the retrieval of the logon data stored in secure storage
    Error during the retrieval of the logon data stored in secure storage
    Error when creating the export DataSource and dependent Objects
    Program ID DC4B105KR4QT1KDW9HD7AXYEO retrieved for DataStore object ZDTSYS01
    Error when activating DataStore Object ZDTSYS01
    Deletion of Unused Dictionary Objects ( 3)
    please help me solve this issue
    Thanks in advance
    venkat

    Hi,
    1). Looks like SM59 Remote user has some issues. Can you check whether the user's are locked ?
    2). You can also correct this is TA STMS. Here you navigate to "System Overview (Shift+F6)".
    On the following screen, you select "Generate RFC DESTINATIONS" which can be found under "Extras".
    3). Please click on source system and restore the BW source system
    Please check the below 2 SAP Notes.
    538052 and 644015.This might solve your problem.
    Thanks,
    Arjun

  • Error during the retrieval of the logon data stored in secure storage

    Hi guys,
    Can anyone help us with this webservice Datasource Transport error.We have already done some Webservice datasources before and successfully transported but never had this error before.
    Error during the retrieval of the logon data stored in secure storage.
    Thanks
    Jay.

    Hi,
    maybe the user is not created successfully.
    You can correct this is TA STMS. Here you navigate to "System Overview (Shift+F6)".
    On the following screen, you select "Generate RFC DESTINATIONS" which can be found under "Extras".
    Best,
    Stephan

  • Error during the retrieval of the logon data stored in secure storage RSAR0

    Hi Friends,
    during the replication process of a data source I get the error.
    "Error during the retrieval of the logon data stored in secure storage"  RSAR051
    I found note 538052 but this does not help so much.
    Can some one help me with this?
    Thanks in advance
    Rg. Jimbob

    Hi,
    We are getting  the same error when selecting "Customizing Extractors" option in Source System in TCode: RSA1. Please let me know how did u solved the problem.
    Thanks.

  • Sql Tuning using OEM and Logon triggers

    OEM = 10.2.0.4/Agent 10.2.0.4
    Target = 10.2.0.3 Db
    We have several db users that have session level adjustments made by use of logon triggers. When OEM is used to review one of those session's performance and sql tuning opportunities - are the logon triggers and the session level settings taken into consideration? Another way to ask is if the suggested changes from the sql profiler are making decisions based on the user's session level settings?
    Thank you in advance.
    -abe

    Your logon triggers affect the new sessions. When you monitor with OEM, it is no affect on OEM's activity. Hoping that, your logon trigger did not affect the user which OEM uses to connect to repository DB.

  • Security mechanism

    Hi Jhs team:
    We are planning using "oracle single sign-on" with "programmatic Dynamic Role Based Authorization" as our security control mechanism,
    The example in jhs_tutorial_3.pdf using Struts-Uix architecture and through ValidateLoginUser Action to wrapped Jhsuser objct,
    so, corresponding to our architecture , if we using SSO what is the best practice to put these code about wrapped Jhsuser object ?

    Ting Rung,
    See my reply on your other post about getting the username in an entity object.
    Steven Davelaar.
    JHeadstart Team.

  • Where is the portal30_sso plsql stored package security mechanism ?

    Hi All,
    I'm trying to make new signon page thru a plsql stored package routine test.login , to be recorded in wwsso_ls_configuration_info$ table and therefore to be called by the user browser on each authentication ( i.e. http://machine:port/pls/dbname_portal30_sso/test.login )
    but issuing this address causes 404 page not found, meaning that there is some security repository somewhere in which I have to insert my own "test.login" procedure in.
    In other words, I'm seeking the same mechanism like FND_ENABLED_PLSQL table of the standard plsql cartridge supplied with the eBusiness Suite, in the portal30_sso schema.
    Any help will be much appreciated,
    Gilad.

    Actually you will get the same message if your Package fails in execution. The login page package can infact be in any schema assuming that you are not accessing packages within your package which the owner does not have rights too. In effect the Login page takes the appropriate arguments , displays them, then posts the response to the Login procedure.
    The "How do I customize my Sign-On/Off User Interface in Portal 9.0.2" technote on Portalcenter.oracle.com has a step by step discussion of the process in PL/SQL.

  • APEX logon uses E-Biz security

    Is it possible to setup APEX such that its logon will use the E-biz suite system's security, i.e. use the same user and password as defined in the E-Biz suite.?

    Hi Gary,
    maybe get in contact with Scott Spendolini from Sumner Technologies (http://sumnertechnologies.com/), I think these guys have some experience integrating APEX with eBusiness Suite.
    Patrick
    My APEX Blog: http://inside-apex.blogspot.com
    The ApexLib Framework: http://apexlib.sourceforge.net
    The APEX Builder Plugin: http://sourceforge.net/projects/apexplugin/

  • Too much Time until logon window after applying Security Configuration Wizard on DC

    Hi,
    The scenario is the following:
    Domain Controller on Windows 2012 R2
    DHCP installed on Domain Controller
    Clients: Win7, Win8
    Servers: Win2008/R2, Win2012 R2
    After applying a SCW template on a DC, the logon window takes too much time to appear (after reboot, lock or sign out).
    The seetings in the template are the following:
    Select Server Roles: All of the default options selected by SCW
    Select Client Features: All of the default options selected by SCW
    Select Administration and Other Options: All of the default options selected by SCW
    Select Additional Services: All of the default options selected by SCW
    Handling Unspecified Services: Do not change the startup mode of the service
    Network Security Roles: All of the default options selected by SCW
    Require SMB Security Features: 2 checkboxes marked
    Require LDAP Signing: the checkbox marked
    Outbound Authentication Methods: Domain Accounts
    Outbound Authentication using Domain Accounts: 2 checkboxes marked
    Inbound Authentication Methods: none of the checkboxes marked
    System Audit Policy: Audit successful activities
    The question is:
    What options(s) include/exclude from SCW template that avoid too much time logon windows takes to appear?
    Thanks in advance!

    Hi,
    Based on my research, SCW helps administrators to ensure that only those services, application capabilities, and ports required for the roles to function are available; anything not specifically needed by the roles the server holds will be disabled. These
    tasks above all consume time to implement, which causes the delay for the Windows logon screen to display.
    Therefore, as the way I see it, it is a normal behavior, and I didn’t find any option which could avoid/reduce time spent on applying settings within the SCW template.
    More information for you:
    The Security Configuration Wizard
    https://technet.microsoft.com/en-us/magazine/2007.04.securitywatch.aspx
    Security Configuration Wizard
    https://technet.microsoft.com/en-us/library/cc754997.aspx
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]

  • [BIACM0085] Error executing load plan after reverting from LDAP to original security mechanism in BIA 11.1.1.7.1

    We have tried to change authenticaion of BI Apps 11.1.1.7.1 to LDAP, but reverted this due to some other issues. Now we are back with standard authentication, and all functionality seems to work fine, except execution of a load plan.
    When we select (any) plan that was executed earlier, we get an error:
    [BIACM0085] Error executing load plan. Action: Correct the properties selected or entered and retry.
    [BIACM0080] Cause: Application error: MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood Action: Contact your help desk or system administrator.
    According to one of our WLS gurus there is a mismatch between consumer and provider of a web service with a security policy, but we cannot find any difference between a working and this failing environment.
    We already started a trace in WLS, but this does not help us further.
    Any hints on troubleshooting steps or even better resolution are more than welcome, as this is blocking a new full load and further tests.
    Tx,
    Luc

    We have tried to change authenticaion of BI Apps 11.1.1.7.1 to LDAP, but reverted this due to some other issues. Now we are back with standard authentication, and all functionality seems to work fine, except execution of a load plan.
    When we select (any) plan that was executed earlier, we get an error:
    [BIACM0085] Error executing load plan. Action: Correct the properties selected or entered and retry.
    [BIACM0080] Cause: Application error: MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood Action: Contact your help desk or system administrator.
    According to one of our WLS gurus there is a mismatch between consumer and provider of a web service with a security policy, but we cannot find any difference between a working and this failing environment.
    We already started a trace in WLS, but this does not help us further.
    Any hints on troubleshooting steps or even better resolution are more than welcome, as this is blocking a new full load and further tests.
    Tx,
    Luc

  • Opendirectoryd.log recording many,many "triggered" since   update.security.10.8.4.12E1009.2013.003

    How can I change logging level -or- turn off triggering of opendirectoryd to reduce log file activity?
    2013-07-11 17:33:58.903093 EDT - opendirectoryd (build 197.17.1) launched...
    2013-07-11 17:33:59.181908 EDT - Logging level limit changed to 'debug'
    2013-07-11 17:33:59.230907 EDT - Initialize trigger support
    2013-07-11 17:34:00.308131 EDT - Trigger - new node trigger watching for 'opendirectoryd:nodes;register;/Search'
    2013-07-11 17:34:00.308464 EDT - created endpoint for mach service 'com.apple.private.opendirectoryd.rpc' with work limit 10
    2013-07-11 17:34:00.308486 EDT - set default handler for RPC 'reset_cache'
    2013-07-11 17:34:00.308493 EDT - Registered RPC over XPC 'reset_cache' for service 'com.apple.private.opendirectoryd.rpc'
    2013-07-11 17:34:00.308508 EDT - set default handler for RPC 'reset_statistics'
    2013-07-11 17:34:00.308518 EDT - Registered RPC over XPC 'reset_statistics' for service 'com.apple.private.opendirectoryd.rpc'
    2013-07-11 17:34:00.308527 EDT - set default handler for RPC 'show'

    You've got an  incompatible Logitech driver and java was incompletely uninstalled.
    You may have a problem with the Wacom driver.
    I don't know if fixing those things will help.
    There also a few window server errors, but I don't know if they are causal.
    If you can note the time of the hangs, that might help narrow it down in the logs.

  • SM59 logon & security tab

    Hi ,
    Do anybody have any idea what we have to maintain in the tab 'Logon & Security ' in the tcode sm59 in the field 'Authorization For Destination '.
    Regards,
    Anuj

    I understand that your question is closed, but the answers are not particularly usefull... so I wanted to add a comment.
    This controls both the ability to administrate the RFC destination (object S_RFC_ADM activities) and the ability to call the destination as a "client side" security mechanism (object S_ICF activities).
    If the value is maintained in SM59, then these optional objects can be used to isolate sensitive connactions both from being changed within SM59 and from being called (from programs, services, SE37, etc).
    It is a very usefull mechanism, as the RFC connection even if restricted will still be able to do that which it is authorized to do. So you can restrict who can use that context, regardless of the authority of the user in the connection - but not regardless of the caller (the admin or the end user).
    Cheers,
    Julius

  • Reg : change pointer mechanism for triggering the IDOC for delivery note

    Hi ,
    I am working on a change pointer mechanism for triggering the IDOC for delivery note and will be using this message class DESADV.
    So SAP has suggested for assigning the message class DESADV with the function module in MASTERIDOC_CREATE_SMD_DESADV in BD60 transaction code.
    So I was looking to create this MASTERIDOC_CREATE_SMD_DESADV function module in SAP and SAP suggesting that  we should create this MASTERIDOC_CREATE_SMD_DESADV function module as same as the function module MASTERIDOC_CREATE_SMD_MATMAS.
    So do anyone knows that is there any tool has been provided by SAP for creating this function module MASTERIDOC_CREATE_SMD_DESADV in SAP system for triggering the change pointer mechanism for outbound Delivery.
    Thanks !
    Regards,
    Kiran

    Hi,
    When you are change pointer the system itself will take care of sending the changed master data to your partner system and the user will not have any intervention.  If you really wanted to have that then you need to use the change pointers to read the master data which is modified in a custom program and then display that on the screen.  Once the user selects that master data records then trigger an IDOC for creating the idoc for that master data and also flag that master data record as processed in the SAP BDCPS standard table, so that the same record will not be picked. If you wanted to know how the change pointers piece of code is written go through the program RBDMIDOC and you can understand how the change pointers logic is written.
    Thanks,
    Mahesh.

  • Web service security

    Hi
    My development environment is netbeans 6.9 and glassfish v2 server.
    I have developed my web service from wsdl file and is working fine over http. I want to make this over secure connection over https ssl.
    I am following this tutorial
    http://download.oracle.com/docs/cd/E17802_01/webservices/webservices/reference/tutorials/wsit/doc/WSIT_Security9.html#wp151774
    According to above article, i did following
    - right click on my web service
    - selected edit web service attributes
    - checked secure service check box
    - select Transport Security (SSL) as the security mechanism
    The tutorial shows that wsit configuration file is generate on this step under web-inf folder. But in my case this is not happening.
    Could any one let me know what would be the issue here.
    Thanks
    Deepak

    hi
    Can anyone help with this...

  • Unable to receive an email by task scheduler on audit failure in windows server 2008 r2 security log

    Deal All,
    I am sorry in advance if i would be on wrong forum, i have created a task on Server 2008 r2 Domain controller that when an audit failure event triggered in windows security log then an email should reach on my email ID, but unfortunately, nothing happen
    on audit failure.i receive no email from task scheduler.
    kindly suggest me to resolve the issue. I have created Email task on  event ID 4771.
    Thanks.
    Zeeshan Ibrahim Network Administrator

    Hi Zeeshan,
    I have found a hotfix against the same error messages, though it applies to Windows Vista and Windows Server 2008, I am not sure if it will work on your machine.
    Please refer to this KB article below:
    Duplicate triggers are generated incorrectly in scheduled tasks in Windows Vista or in Windows Server 2008
    http://support.microsoft.com/kb/2617046
    Please feel free to let us know if this hotfix couldn’t help you fix this issue.
    Best Regards,
    Amy Wang

Maybe you are looking for

  • Outline stroke with Illustrator scripting

    Hello everybody! I'm making a script. I need to do the outline stroke action. I can't find it in the extendscript anywhere. I can do it from a applescript and call it from my extendscript in CS6 BUT I need my script to run CS5.5 and run on a windows

  • ITunes won't open after uninstalling FCP 7

    I had to reinstall FCP 7 so i used the "uninstall FCS" application that came with it. After doing so i went to check my itunes while it re-installed. I suddenly got a " you are not authorized on this computer" message. And only had an OK as a respons

  • Get user input and find file and read it.....argh

    Ok, so I have to write a program that asks a user for the name of the file they want opened and then it is to read it and then display the max score and the minimum score on the file. also to display the average score on the file. Along with that it

  • Maintain license key for third party product in sap PI

    HI, I have install third party product in SAP PI SLD for an application, How can i specify the key or license agreement for the third party product. Where i have to maintain the key for Third party product in SAP PI. Regards Niraj

  • PPR event in poplist

    Hi, My requirement is like this, From dropdown list, the approvers will be able to select “Vehicle Specific” or “Other”. 1.     If the approver selects “Vehicle Specific” then they will be required to enter VIN and Customer #. Work Order number entry