Restricting Development Tools Access To Oracle Production Database.

It's important for reliability, availability, functionality, performance, integrity, stability... of a system to be sure that only DBA will access and manipulate any production sensitive data directly. The best practice tells that any production data, even applicative one, should be accessed and manipulated by DBA(s) only. The end-user should access relevant data using front-end applications, including CRM, CSM, etc. No direct access or/and manipulation to database should be done by the end-user. That's why it's important for DBA to restrict access to production database.

There is a very useful article by Burleson telling about restricting Oracle access:
http://www.dba-oracle.com/t_trigger_restrict_end_user_access.htm
"It's always a best practice to do whatever you can to ensure that your end-users "play by the rules" and only access their Oracle data." (Burleson)
Here's how it will look a login trigger to prevent end-users from using external tools, except DBA(s):
sqlplus / as sysdba
CREATE OR REPLACE TRIGGER restrict_access_ora
  AFTER LOGON ON DATABASE
DECLARE
  v_prog   sys.v_$session.PROGRAM%TYPE;
  v_osuser sys.v_$session.OSUSER%TYPE;
BEGIN
  SELECT program, osuser
    INTO v_prog, v_osuser
    FROM sys.v_$session
   WHERE audsid = USERENV('SESSIONID')
     AND audsid != 0 -- Don't Check SYS Connections
     AND ROWNUM = 1; -- Parallel processes will have the same AUDSID's
  IF (upper(v_prog) LIKE '%TOAD%' OR upper(v_prog) LIKE '%T.O.A.D%' OR -- Toad
     upper(v_prog) LIKE '%SQLNAV%' OR -- SQL Navigator
     upper(v_prog) LIKE '%SQL DEVELOPER%' OR --- SQL Developer
     upper(v_prog) LIKE '%PLSQLDEV%' OR -- PLSQL Developer
     upper(v_prog) LIKE '%BUSOBJ%' OR -- Business Objects
     upper(v_prog) LIKE '%EXCEL%') -- MS-Excel plug-in
     AND upper(v_osuser) not in ('DBA_OS_USER') -- the os user(s) of DBA(s)
   THEN
    RAISE_APPLICATION_ERROR(-20000,
                            'Access is denied. Only DBA(s) can do it.');
  END IF;
END;
Example:
[oracle@localhost ~]$ sqlplus / as sysdba
SQL*Plus: Release 11.1.0.6.0 -
Copyright (c) 1982, 2007, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> CREATE OR REPLACE TRIGGER restrict_access_ora
  2    AFTER LOGON ON DATABASE
  3  DECLARE
  4    v_prog   sys.v_$session.PROGRAM%TYPE;
  5    v_osuser sys.v_$session.OSUSER%TYPE;
  6  BEGIN
  7    SELECT program, osuser
  8      INTO v_prog, v_osuser
  9      FROM sys.v_$session
10     WHERE audsid = USERENV('SESSIONID')
11       AND audsid != 0 -- Don't Check SYS Connections
     AND ROWNUM = 1; -- Parallel processes will have the same AUDSID's
12
13    IF (upper(v_prog) LIKE '%TOAD%' OR upper(v_prog) LIKE '%T.O.A.D%' OR -- Toad
14       upper(v_prog) LIKE '%SQLNAV%' OR -- SQL Navigator
15       upper(v_prog) LIKE '%SQL DEVELOPER%' OR --- SQL Developer
16       upper(v_prog) LIKE '%PLSQLDEV%' OR -- PLSQL Developer
17       upper(v_prog) LIKE '%BUSOBJ%' OR -- Business Objects
18       upper(v_prog) LIKE '%EXCEL%') -- MS-Excel plug-in
19       AND upper(v_osuser) not in ('DBA_OS_USER') -- the os user(s) of DBA(s)
20
21     THEN
22      RAISE_APPLICATION_ERROR(-20000,
23                              'Access is denied. Only DBA(s) can do it.');
24    END IF;
25  END;
26  /
Trigger created.
SQL> show errors;
No errors.
SQL>