| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Invoker-rights/definer-rights response from Oracle Development
Thanks Mogen!
Jared
On Wednesday 01 January 2003 21:03, Mogens Nørgaard wrote:
> Good morning,
>
> A few days ago there was a debate about the issue with
> invoker/definer-stuff. I wrote to Mary Ann Davidson, who's responsible
> for Oracle security things (she's the female guru you may have seen on
> the big posters at Oracle World both in Copenhagen and San Francisco).
> So I forwarded the thread to her, and here's the response from Paul
> Needham of her team (who by the way was impressed with the knowledge
> level of the list contributors).
>
> Mogens
>
> ------------------------------------------------------------------------
>
> The invoker-rights functionality was developed to allow code to be
> shared across multiple schemas. The definer-rights functionality
> sometimes required that the same stored procedure exist in multiple
> locations, creating maintenance headaches. The invoker-rights model
> solves this problem.
>
> Most applications are designed such that the data and application
> program units reside in the same schema. In this situation the issue of
> privilege propagation usually isn't a problem. In situations where a
> program unit depends on an external program unit in a different schema,
> the owner of the external program unit would need to give the other user
> execute privilege explicitly.
>
> Oracle security product management continually reviews enhancement
> requests submitted by customers. To date there hasn't been broad demand
> for new security in this area beyond what has been provided via the
> introduction of the invoker-rights facility. Oracle9i introduced the
> secure application role and global application context which are
> designed for proxy architectures. The secure application role restricts
> enabling a role to a set role command in a named security package. The
> security package can perform it's own security checks prior to invoking
> the set role command.
>
> ------------------------------------------------------------------------
Content-Type: text/html; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ----------------------------------------
-- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: jkstill_at_cybcon.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Fri Jan 03 2003 - 01:48:36 CST
 |
 |