Description of Production Accounts

Each application going to production receives three accounts:

  • a main account which is an application owner account (it will be called AA)
  • a reader account (it will be called AA_R)
  • a writer account (it will be called AA_W)

The intention of the AA account is to create and administer database objects, which are needed for the application. The application itself should then use the AA_R and AA_W accounts to connect and work on the database. The AA_R account should be given select privileges to database tables or other objects, the AA_W account should be given additionally insert/delete/update privileges to be able to change the data stored in the schema (but it won't be able to change the structure of the schema).

Summarizing, AA_R and AA_W cannot do such operations like:

  • creating tables in the database, triggers, procedures, materialized views, sequences
  • creating roles, database links and defining database types
These operations are allowed only to the main account (AA) as the owner of the application.
AA_R and AA_W can only open and alter their sessions, create views and synonyms and use existing objects according to access rights which have been granted to them by the AA user.

If more complicated access rights policy is needed, the application owner (AA) can define different roles which then can be dynamically switched on/off in the AA_R and AA_W sessions depending on the contex.

Characteristics of the main account (AA) profile:

  • account is locked for 1 minute after 5 logging attempts
  • password is forced to be changed to a new one every 365 days
  • you have 10 days to change password after the first warning, then account is locked
  • number of simoultaneous sessions for the same user is 10
  • sessions are killed after 2 days of inactivity
  • new password needs to comply with a password verification function

Characteristics of the AA_R and AA_W accounts:

  • account is locked for 1 minute after 10 logging attempts
  • password never expires
  • number of simulatneous sessions for the same user is 1000
  • sessions are killed after 2 days of inactivity
  • new password needs to comply with a password verification function


This topic: PSSGroup > PhysicsDatabasesSection > Consultancy > DescriptionOfProductionAccounts
Topic revision: r4 - 2005-11-29 - unknown
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback