Home » RDBMS Server » Security » SELECT_CATALOG_ROLE (Oracle 11g R1 on RHEL 5 AS 64bit)
SELECT_CATALOG_ROLE [message #361493] Wed, 26 November 2008 11:30 Go to next message
shaseeb
Messages: 113
Registered: April 2007
Location: Madison, WI
Senior Member
Hi all,

Just wanted some advice about granting developers the SELECT_CATALOG_ROLE. From what I've read and researched it seems like it is not a good idea as it gives them access to SYS schema objects. However, I cannot see any other way around it because my developers need to do schema comparisons from time to time. Even if I were to grant them, say, the SELECT ANY TABLE privilege then they cannot view packages and procedures...they can simply view tables and views. Any suggestions?

Thanks.
Re: SELECT_CATALOG_ROLE [message #361497 is a reply to message #361493] Wed, 26 November 2008 12:07 Go to previous messageGo to next message
Michel Cadot
Messages: 64144
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Give the least privileges they need to do their job.

Regards
Michel
Re: SELECT_CATALOG_ROLE [message #361623 is a reply to message #361493] Thu, 27 November 2008 03:32 Go to previous messageGo to next message
tahpush
Messages: 961
Registered: August 2006
Location: Stockholm/Sweden
Senior Member

shaseeb wrote on Wed, 26 November 2008 18:30
Hi all,
my developers need to do schema comparisons from time to time.
Thanks.


I wonder why ? Seems like poor version control to me
Re: SELECT_CATALOG_ROLE [message #362702 is a reply to message #361623] Wed, 03 December 2008 16:03 Go to previous messageGo to next message
andrew again
Messages: 2577
Registered: March 2000
Senior Member
I've worked in orgs where access is open unless there's a good reason not to, as well as orgs where you could no access without approval. The latter often stops developers from adding value where they sometimes can. Most of us have seen apps that mysteriously slow down, only to find out that some index was accidentally dropped or whatever. Having excessive access can also allow damage to be done like cartesian join runaway queries, access to sensitive data, DB link passwds or whatever.

A good solution is to create a clone of select_catalog_role, and remove anything of concern. Grant that custom role to users.

Search Metalink for SELECT_CATALOG_ROLE vulnerabilities



icon14.gif  Re: SELECT_CATALOG_ROLE [message #362937 is a reply to message #362702] Thu, 04 December 2008 10:56 Go to previous message
shaseeb
Messages: 113
Registered: April 2007
Location: Madison, WI
Senior Member
Thanks Andrew.

Your response was actually helpful. I think I will try that.
Previous Topic: ORA-01031: insufficient privileges
Next Topic: Active Directory Password change
Goto Forum:
  


Current Time: Fri Dec 09 11:27:30 CST 2016

Total time taken to generate the page: 0.07641 seconds