Database level user account management?

Posted by Admin on 23-Aug-2007 09:35

The basic question: Are there any plans/methods to implement certain user account management functions (password complexity enforcement, password expiration, lock account after X failed attempts) at the database level as opposed to at the application level?

I have done this at the application level, but if someone is just making a direct database connection there is no way (that I know of) to increment a failed attempt counter. Obviously, the counter would not apply to Security Administrators to prevent someone from intentionally locking out the DBA.

Message was edited by: tftgpsdn

Added "password expiration, "

tftgpsdn

All Replies

Posted by Admin on 23-Sep-2008 14:16

Perhaps try setting up a trigger in the _user table to enforce this? If security is on, i don't believe it could be bypassed.

Posted by davidkerkhofs3 on 28-Nov-2008 03:42

What version of Progress?

In OE10, if you go into Data Administration Tool > Admin > Database options

you will see 2 options:

disallow blank userid

use runtime permissions checking

Combined with the data security options you can regulate all access to tables and provide sufficient security. If you need more, use auditing.

Your suggestions however would be a nice feature to have.

Posted by Admin on 28-Nov-2008 03:47

I don't know if it's even possible, to add a trigger to a meta schema table (like _user).

If it's possible, please be aware the you'll probably need to recompile the data admin tool (and others).

I would NOT recommend to do that at all! It would be interesting to hear, what warnings the tech support has on that matter! But that sounds pretty much like a nightware with an unsupported config.

Posted by davidkerkhofs3 on 28-Nov-2008 03:54

I guess TechSupport would say: remove the trigger code and reinstall the progress libraries

These tables are frozen and you get warnings when you unfreeze them; but you can. If anyone wants to test it, be my guest, but take the warning very serious.

Posted by Admin on 28-Nov-2008 04:13

I bet so.

Posted by Thomas Mercer-Hursh on 28-Nov-2008 11:16

Myself, I wouldn't really want this to be built in to the database since I am sure that many of us would want features that were different from what got implemented. Instead, I think the secret is to control the access to the database and provide data only though a layer which controls authentication.

This thread is closed