Database level user account management? - Forum - OpenEdge RDBMS - Progress Community

Database level user account management?

 Forum

Database level user account management?

  • The basic question: Are there any plans/methods to implement certain user account management functions (password complexity enforcement, password expiration, lock account after X failed attempts) at the database level as opposed to at the application level?

    I have done this at the application level, but if someone is just making a direct database connection there is no way (that I know of) to increment a failed attempt counter. Obviously, the counter would not apply to Security Administrators to prevent someone from intentionally locking out the DBA.

    Message was edited by: tftgpsdn

    Added "password expiration, "

    tftgpsdn

  • Perhaps try setting up a trigger in the _user table to enforce this? If security is on, i don't believe it could be bypassed.

  • What version of Progress?

    In OE10, if you go into Data Administration Tool > Admin > Database options

    you will see 2 options:

    disallow blank userid

    use runtime permissions checking

    Combined with the data security options you can regulate all access to tables and provide sufficient security. If you need more, use auditing.

    Your suggestions however would be a nice feature to have.

  • I don't know if it's even possible, to add a trigger to a meta schema table (like _user).

    If it's possible, please be aware the you'll probably need to recompile the data admin tool (and others).

    I would NOT recommend to do that at all! It would be interesting to hear, what warnings the tech support has on that matter! But that sounds pretty much like a nightware with an unsupported config.

  • I guess TechSupport would say: remove the trigger code and reinstall the progress libraries

    These tables are frozen and you get warnings when you unfreeze them; but you can. If anyone wants to test it, be my guest, but take the warning very serious.

  • I bet so.

  • Myself, I wouldn't really want this to be built in to the database since I am sure that many of us would want features that were different from what got implemented. Instead, I think the secret is to control the access to the database and provide data only though a layer which controls authentication.

    Consulting in Model-Based Development, Transformation, and Object-Oriented Best Practice  http://www.cintegrity.com