[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference ulysse::rdb_vms_competition

Title:DEC Rdb against the World
Moderator:HERON::GODFRIND
Created:Fri Jun 12 1987
Last Modified:Thu Feb 23 1995
Last Successful Update:Fri Jun 06 1997
Number of topics:1348
Total number of notes:5438

342.0. "Rdb, Oracle, Ingres and security" by MERIDN::STAMATIEN (I'd rather be sailing) Tue May 02 1989 09:40

My customer is in the process of choosing a relational database.  The three 
dbms being condiered are Rdb/VMS, Ingres, and Oracle.  My customer is a DOE 
site, therefore security is the highest weight issue.  At this time it looks 
like Oracle is the front-runner, Ingres is a close second, and Rdb is a 
distant third.  The customer is VERY impressed with Oracle security and 
toolset, and with Ingres toolset.  

I've been asked about Rdb security, and it comes down to the need to not only
block unauthorized users using access rights, but reporting successful and 
unsuccessful accesses to tables.  When I last checked, you could only do this 
programmatically (and I've claimed that they only want to log unsuccessful 
update attempts) which would leave SQL, RDO, and other tools not covered.  Is
this still true?  If Rdb access rights cannot be automatically connected to
alarms I'm afraid that we would have not only lost this account but wouldn't
stand a chance in any DOE or DOD security installation. 

Any information on this subject would be appreciated.

Jacqueline
T.RTitleUserPersonal
Name		DateLines
342.1RDB security is betterTAV02::ARIE_LArie LevyThu May 04 1989 12:5922
Hi Jacqueline,
 
It is true that RDB does not give any rejected updates journal,
However, INGRES and ORACLE does not have this facility as well.
(I know it for shure. If they are saying they could, they realy mean they
can program it as part of application. Well, everyone can do it)).

Security wise, RDB has big advantage over those two products:
you can privilage group of users (using ACL) as well as single user.

ORACLE and INGRES support only per-user protection. it means that if JOHN
is moving from sales to finance, you have to do a lot of work to take and give
privilages instead of changing UIC or some identifiers in RDB/VMS. 

In the broader scope, VIA (RDB,RALLY,TEAMDATA) is the best 4GL development
environment on VAXs today.


Regards,

Arie Levy
342.2Sorry i had a mistakeTAV02::ARIE_LArie LevyThu May 04 1989 15:016
I am sorry, ther is one mistake in my previous (.1) reply.
ORACLE does have a feature of define rejected updates audit trial on database 
or table level. This audit will use a special table in the database in which 
all rejected updates will be written (regardless reason of rejection).

Arie Levy
342.3ROWING::FEENANJay Feenan, Database Systems Devel.Thu May 04 1989 21:085
    I would also contact Product Management for non-disclosure information
    in this area.
    
    -Jay
342.4Oracle 1, Rdb 0FINSER::STAMATIENI'd rather be sailingWed May 31 1989 10:188
	It's official, Oracle won based on security.  The customer *REALLY*
	wanted Ingres (they eliminated Rdb based on the lack of user tools),
	but their security department told them that the only product that
	can comply with the latest DOE order (5637) was Oracle.  When
	contacted by our customer Ingres indicated that in their next release 
	they will provide the security features currently available from
	Oracle, but the customer could not buy security features futures and
	they are in the process of purchasing Oracle.
342.5Did the customer REALLY win?SQLRUS::COUGHLANDBS Product ManagementWed May 31 1989 21:5710
>>>>>	It's official, Oracle won based on security.  
    
    
    Did Oracle actually demonstrate the required capability in V6.0?  All
    the info we've seen back here in ivvory-tower-land is that C2 security is
    just as much a future at Oracle as it is for us.  The only difference
    is that they will say "We have it now" and we say "We'll tell you about
    it when we feel that it's real, and not a plan".
342.6Or..Or..Or..Oracle?DPDMAI::DAVISGBUh Oh...another Balloonist!Thu Jun 01 1989 01:3619
    Thought I'd revisit this security thing again.
    
    Now that the customer has chosen Oracle, and the reason was security,
    and given the fact that they are a government site and there is a
    requirement for security.....how do they implement?  Government sites
    can't implement *anything* based upon a requirement until the
    government has certified the product.  C2,B1,B2 etc are all specs that
    haven't been approved by the government.  Oracle can claim all they
    want, but who in the government could implement?  I think no-one.
    
    I have used this argument successfully against a number of government
    sites. 
    
    As for tools.  Lack of tools with Rdb should not be a reason to lose. 
    We give them *more* options, not less.
    
    How about Cost of ownership?  Show them what Oracle is going to cost
    and their finance manager will fall out of his/her chair!
342.7wanted Ingres tools?SNOC02::ANDERSONKThe Unbearable Lightness of BeingFri Jun 02 1989 09:234
    RE: .5 
    
    Gee, I thought in the USA we had Ingres Tools for Rdb, that ran
    over Rdb.......
342.8You are right, but...MERIDN::STAMATIENI'd rather be sailingWed Jun 07 1989 07:4722
< Note 342.7 by SNOC02::ANDERSONK "The Unbearable Lightness of Being" >
                           -< wanted Ingres tools? >-

    RE: .7
    
>>>    Gee, I thought in the USA we had Ingres Tools for Rdb, that ran
>>>    over Rdb.......


	True, but the customer spoke to Ingres about it and RTI informed
	them that Ingres tools for Rdb will be at least six months behind
	any new release of Rdb.  They found that delay unacceptable.

	However, they are willing to live with Oracle V5...

    RE: .6

	We have told the customermany disadvantages we saw for using 
	Oracle, and they say "prove it".  We cannot prove it until 
	we build the system (using Oracle and using Rdb [or even 
	Ingres--which we thought was the lesser of two evils when compared 
	to Oracle]).  Obviously, this is not practical.
342.9Shock! My copy of 5637 is missing!CLYPPR::COUGHLANDBS Product ManagementThu Jun 15 1989 02:0515
    From .4....
    >	but their security department told them that the only product than
    >   can comply with the latest DOE order (5637) was Oracle.  When
    
    No use speculating here... since the DOE negligently omits us from its
    distribution list, we have no idea what DOE Order 5637 requires.  Can
    somebody get a copy for us?  Then we can determine the specific
    product requirements so this doesn't happen again.  As pointed out in a
    later reply (.6?), it is unlikely this order specifies a required and
    verified level of security, since the C2 etc. levels specs are drafts,
    and no verification mechanism is in place. I expect this order requires
    specific feature(s) in products... but I need to see it to understand
    its impact on our product requirements and plans.
    
    Steve
342.1045 days...QUILL::STEINERWed Jun 21 1989 01:1622
    RE: .8
    
    
||  >>>    Gee, I thought in the USA we had Ingres Tools for Rdb, that ran
||   >>>    over Rdb.......
||   
||   
||   	True, but the customer spoke to Ingres about it and RTI informed
||   	them that Ingres tools for Rdb will be at least six months behind
||   	any new release of Rdb.  They found that delay unacceptable.
||   
||   	However, they are willing to live with Oracle V5...
||   
    
    
    The next release of Ingres Tools for Rdb will be available in
    September, 1989.  After that, Ingres Tools for Rdb will be available
    within 45 days of the availability of the same tool on the VMS verson
    of the Ingres DBMS.  If an Ingres rep is saying otherwise, they are
    "misinformed."
    
    Jim