Educause Security Discussion mailing list archives

Re: ODBC Access to Oracle

From: Mahmud Rahman <mrahman () MILLS EDU>
Date: Wed, 15 Aug 2018 08:12:19 -0700

We have allowed ODBC access to Banner for over 20 years. A small number of
power users use MS Access and Excel to report from Banner using ODBC
connections. Our DBA grants query access only to certain roles that have
access to sets of Oracle tables and views. No updates/inserts are allowed
this way.

-Mahmud

Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu

On Wed, Aug 15, 2018 at 7:58 AM, Theresa Rowe <rowe () oakland edu> wrote:

We allow reporting access via ODBC to Banner.  In fact it is still our
primary report development tool.  We do not review the report development
prior to use in production.  We do not allow any table updates of any kind
using this method.  It is read-only.

Theresa

On Wed, Aug 15, 2018 at 10:18 AM George J. Silowash <gsilowas () norwich edu>
wrote:

Hello,



I am currently researching the security implications of allowing ODBC
access to an Oracle database, in particular, Ellucian Banner.  I have a
user requesting ODBC access to the Banner database. My gut feeling is to
prohibit this access, but I need more information.



Does anyone have best practices for implementing this? Or, what are the
reasons for prohibiting access? I am most concerned about:



-Data integrity

-Access control of tables and fields

-Accidental database denial of service (a query that is not constrained
appropriately, etc.)



Is Oracle security enforced on an ODBC connection? Some research on other
applications implies that it is not. Any help or guidance would be greatly
appreciated.



Regards,

George

----------------------------------------------------------------

*George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE*

*Chief Information Security Officer*

Norwich University

158 Harmon Drive
<https://maps.google.com/?q=158+Harmon+Drive+%0D%0A+Northfield+VT+05663&entry=gmail&source=g>

Northfield VT 05663
<https://maps.google.com/?q=158+Harmon+Drive+%0D%0A+Northfield+VT+05663&entry=gmail&source=g>

http://www.norwich.edu



--
Theresa Rowe
Chief Information Officer
Oakland University

Current thread:

ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
  - Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)