Oracle and Security

From: Bruce Page <bpage_at_kimball.com>
Date: Thu, 25 May 2000 09:03:56 -0500
Message-Id: <10508.106676@fatcity.com>

This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible.

------_=_NextPart_001_01BFC652.251C0738
Content-Type: text/plain;

charset="iso-8859-1"

We have a security group that has been given the responsibility to create and drop user ids.

The deal was that they created the user ids and then it was up to the business units to grant the privileges to the user ids. All the security group did was create and drop.

We granted their desire by creating a role for them and granting them the limited security access they needed to get their job done. The security role here is not much more than an administrator position. Their management has said that they do not have to know the technologies all they have to do is security for them. The business unit I work for has a high regard for security and does not want to give people accesses that are beyond their ability. Since security does not want to know Oracle, it was decided that they should not have access to root or oracle at the Unix level and should not have access to sys, system, or DBA in Oracle.

Now the security group is wanting the ability to remove all roles and privileges that would allow someone access to the database. So, that would mean that they now want the ability to revoke the DBA role. The only way, at least 7.3.4, allows someone to revoke or grant DBA is if the user id doing the granting or revoking has DBA.

I am considering writing a procedure that would be owned by system that would revoke DBA from a user id and then granting execute on it to the security role. Has anyone tried this? Anyone see any problems with this approach?

Bruce Page
Oracle DBA
Kimball international
Jasper, In 47549

------_=_NextPart_001_01BFC652.251C0738
Content-Type: text/html;

charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>Oracle and Security</TITLE>
</HEAD>
<BODY>

We have a security group that has been =
given the responsibility to create and drop user ids.


The deal was that they created the =
user ids and then it was up to the business units to grant the = privileges to the user ids.  All the security group did was create = and drop.

We granted their desire by creating a =
role for them and granting them the limited security access they needed = to get their job done.  The security role here is not much more = than an administrator position.  Their management has said that = they do not have to know the technologies all they have to do is = security for them.  The business unit I work for has a high regard = for security and does not want to give people accesses that are beyond = their ability.  Since security does not want to know Oracle, it = was decided that they should not have access to root or oracle at the = Unix level and should not have access to sys, system, or DBA in = Oracle.

Now the security group is wanting the =
ability to remove all roles and privileges that would allow someone = access to the database.  So, that would mean that they now want = the ability to revoke the DBA role.  The only way, at least 7.3.4, = allows someone to revoke or grant DBA is if the user id doing the = granting or revoking has DBA.

I am considering writing a procedure =
that would be owned by system that would revoke DBA from a user id and = then granting execute on it to the security role.  Has anyone = tried this?  Anyone see any problems with this = approach?
 

Bruce Page
 Oracle DBA
 Kimball international
 Jasper, In 47549
Received on Thu May 25 2000 - 09:03:56 CDT