| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Authorete
you have to use the pointy clicky and it has to have xyz privileges and it looks at abc table and it expects abc table to be abc instead of THE$AUTHORETE$AUTH.a and THE$AUTHORETE$AUTH.b and THE$AUTHORETE$AUTH.c
BUT THE$AUTHORETE$AUTH can also DROP its tables and alter ist tables (NOT that I have had anyone log in as an APPS owner and drop a production table and wait a week to fess up to it ... but.. ya know... ).
SO...
JOEBLOW userid has to log in and see the USER table and the PRIVILEGE table and the GRANT table with those <exact> ever so clever names and everyone who uses the front end has to have the ability to know that userid and password... but if they know the THE$AUTHORETE$AUTH userid they can not only alter data and use the pointy clicky, they can TRASH whatever it owns.
This really wasn't that complicated... I know what I need it to do and what I need it not to be able to do, I just walked into this project in the middle of the conversation because the person who didn't leave documentation on anything (ya know... like passwords or what anything is about with the stupid product) is in MEXICO and they needed to upgrade the objects and they needed to pipe in SQL Server data, but NEEDED to use the pointy clicy to get the data in because "I" am not allowed to get any information on the SQL Server end to be of any assistance and the tech on the phone said just drop all of the objects and let the pointy clicky do it (so everything that the Authorete DBA did in the first place ... with no documentation... went bye bye after all of the underlying objects were dropped... and the JOEBLOW user could no longer log in because it wanted the USER and the PRIVILEGE table to be "USER" and "PRIVILEGE" not THE$AUTHORETE$AUTH.USER or THE$AUTHORETE$AUTH.PRIVILEGE.... AND, other than creating all the synonyms to the THE$AUTHORETE$AUTH.<TABLE> under JOEBLOW account... there weren't many other ways I could figure out to make JOEBLOW see USER as USER instead of THE$AUTHORETE$AUTH.USER...
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: John Flack [mailto:JohnF_at_smdi.com]
Sent: Friday, March 12, 2004 7:46 AM
To: oracle-l_at_freelists.org
Subject: RE: Authorete
I'm trying to get a handle on exactly what you want the programmers to be able to do, and what you don't want them able to do.
If you are just trying to keep them from doing DDL, then you give them all their own user accounts, create and grant a "programmer" role with SELECT, INSERT, UPDATE and DELETE on the tables. The tables are owned by a separate application schema to which only you have the password. It might not even have the connect privilege.
Want to limit the rows on which they may operate too? Look into Vitual Private Database.
Want to give them limited and highly controlled access to DDL? Create a DDL package in the application schema with procedures that do EXECUTE IMMEDIATE commands for each DDL that you want to allow, then grant the programmer role EXECUTE on the package. You can add all kinds of code to control exactly what they can do, and even have it e-mail you every time they use it, to let you know what they are up to.
-----Original Message-----
From: April Wells [mailto:AWells_at_csedge.com]
Sent: Friday, March 12, 2004 7:49 AM
To: 'oracle-l_at_freelists.org'
Subject: RE: Authorete
Ya know, I was thinking maybe adopting the idea of medieval times... if you get caught screwing around with the tables, I cut off your fingers... but there is this company policy against bodily harm against programmers... the SPCA comes around and fines you for hurting dumb animals...
This was safer.
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: Goulet, Dick [mailto:DGoulet_at_vicr.com]
Sent: Thursday, March 11, 2004 3:26 PM
To: oracle-l_at_freelists.org
Subject: RE: Authorete
Shackles work very well in that case. Possibly you could borrow a few pairs of handcuffs from the local police department!! *-)
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: April Wells [mailto:AWells_at_csedge.com]
Sent: Thursday, March 11, 2004 3:08 PM
To: oracle-l_at_freelists.org
Subject: RE: Authorete
no, I don't think that will give me what I'm really after...
The idea is to tie the hands of the programmers to such an extent that I KNOW what they can and can not do... and how bad they can put me in a bind.
The information contained in this communication, including attachments, is strictly confidential and for the intended use of the addressee only; it may also contain proprietary, price sensitive, or legally privileged information. Notice is hereby given that any disclosure, distribution, dissemination, use, or copying of the information by anyone other than the intended recipient is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender immediately by reply e-mail, delete this communication, and destroy all copies.
Corporate Systems, Inc. has taken reasonable precautions to ensure that any attachment to this e-mail has been swept for viruses. We specifically disclaim all liability and will accept no responsibility for damage sustained as a result of software viruses and advise you to carry out your own virus checks before opening any attachment.
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Fri Mar 12 2004 - 08:10:38 CST
 |
 |