[Date Prev][Date Next][Thread Prev][Thread Next]
[Author Index] [Date Index] [Thread Index]
[SQR-USERS Info] [SQRUG Home Page]

Fwd: Role security using SQR

Subject: Fwd: Role security using SQR
From: Benjamin Le <ble.DOMAIN1.oramail@ZEUS.CC.PCC.EDU>
Date: Thu, 11 Apr 1996 10:59:14 -0700
Original-To: orunix:sqr-users@usa.net

Just forwarding a message from a user of SQR

___________________________________________________________________________
Benjamin Le                                           Voice: (503)-977-4970
Portland Community College, Information Technology    Fax  : (503)-977-4987
P.O. Box 19000, Portland, Oregon 97280-0990           Internet: ble@pcc.edu
___________________________________________________________________________



---- Included Message ----

Received: 04-11-96 01:50                         Sent: 04-11-96 16:57
From: ORUNIX:owner-boracle@sctcorp.com
To: boracle@sctcorp.com
Subject: Role security using SQR
Reply-To: ORUNIX:owner-boracle@sctcorp.com
Return-Path:  <owner-boracle@sctcorp.com>
Reply-To:  boracle@sctcorp.com
Sender:  owner-boracle@sctcorp.com
Precedence:  bulk
Mime-Version:  1.0
Content-Type:  text/plain; charset=US-ASCII
Content-Transfer-Encoding:  7bit
X-Mailer:  ELM [version 2.4 PL25]
X-Listprocessor-Version:  7.2 -- ListProcessor by CREN


Hi all,

We are in the process of upgrading to Banner 2.0, and I have
decided to implement role based security.  All the users will
have a default role of CONNECT only, and when they log into
Banner thru GUAINIT, the SET ROLE command will be run, which
will give the user full object access.  This role is password
protected.

Now, I have used a packaged procedure to get the role password
which is then passed back to the form, which then does the
SET ROLE.  This works great - everything is nicely hidden.

However, my big problem is SQR and ESQR.  Even if I compile
the SQR program, the SQT is still reasonably readable, especially
the commands in the begin-sql and end-sql block.  Within ESQR, a
knowledgable user could 'edit' or 'view' that sqt file, pick up
the appropriate code piece, then create their own SQR program
(still within ESQR) with the code in it, and then run that SQR,
which will set the role for them so that they have full database
access.

I have been unable to think of any real solution to this problem,
other than the possibility of removing SQR itself (only leaving SQRT
and ESQR), but that is not acceptable to our User Support group.

Has anyone considered this problem at all?  Even if you are already
using 2.1.5 and have SQR, I would appreciate any help or solutions
that you have.  I do not have 2.1.5 here yet, so if there is something
in 2.1.5 that will help, please tell me about it.

Thanks in advance
Karen
---------------------------------------------------
Karen Payten
Database Administrator
Computing and Communication Services
University of New England, Armidale NSW  AUSTRALIA
Email: karen@metz.une.edu.au  Phone: +61 67 733549
---------------------------------------------------

Prev by Date: Re: Printing .LIS files
Next by Date: Formatting Problem with text files
Prev by thread: Printing double sided reports
Next by thread: Re: Fwd: Role security using SQR
Indexes: [ Thread] [ Author] [ Date]
SQR-USERS List and Archive Info
SQRUG Home Page