Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Using TOAD on production databases

RE: Using TOAD on production databases

From: Aragon, Gabriel (GE Commercial Finance) <gabriel.aragon_at_ge.com>
Date: Tue, 17 Aug 2004 11:42:10 -0400
Message-ID: <DA3854DCCE41EA42B603E39691388AC31643BB0D@CINMLVEM05.e2k.ad.ge.com> 





You dont need to worry about giving developers many privs, a rookie =
programmer can make a lot of damage with an inocent select. =3D)



Also, I remember in previous oracle version (7.3 AFAIR) this instruction =
provoked an immediate shutdown in NT:



to_number(char_column) --if the char_column had a no numeric value..=20



GAP




-----Original Message-----


From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org]On Behalf Of Mercadante, Thomas F
Sent: Martes, 17 de Agosto de 2004 08:33 a.m.
To: 'oracle-l_at_freelists.org'


Subject: RE: Using TOAD on production databases




Venu,



Toad gives them nothing more than SqlPLus gives them.  You are perfectly =
ok.


Our developers have read-only accounts in our production database.  They =
can


use *any freekin tool* they want to use.  I do not base security based =
on


the tool - but based on Oracle roles.  You *cannot* base your database
security based on a tool if the user is given an Oracle account.  They =
can


simply log-on with a thousand other tools.



Using Oracle roles and grants is the only way to guarantee database
security.



Hope this helps.



Tom Mercadante


Oracle Certified Professional




-----Original Message-----


From: Potluri, Venu (IDS AIS SE) [mailto:venu_potluri_at_ml.com]=20
Sent: Monday, August 16, 2004 8:07 PM


To: oracle-l_at_freelists.org


Subject: RE: Using TOAD on production databases




The only system privilege my developers have is create session. PERIOD.
Nobody gets anything else.



We do grant roles that give SELECT access to some tables. We don't grant =
any


insert, update, delete privileges to any roles.



So, lets say the developer has valid reason to access production data =
and


has SELECT privilege on some tables, what exactly does TOAD give this
developer above and beyond what I give him as a DBA?






-----Original Message-----


From: oracle-l-bounce_at_freelists.org =


[mailto:oracle-l-bounce_at_freelists.org]


On Behalf Of Raj Jamadagni


Sent: Monday, August 16, 2004 6:29 PM


To: oracle-l_at_freelists.org


Subject: Re: Using TOAD on production databases



There are many words in your first statement that are an security =
auditor's


dream. I bet Pete F. is using mapquest to find fastest route to your =
office


right now.



So, let me get this straight, ON PRODUCTION database you are worried =
that


developers accessing SYS/SYSTEM objects so you will block them. Great. =
But


you don't have a problem if they acces production data?? Sarbanes-Oxley =
...


and I think you work for a BIG financial company right??=3D20



Developers shouldn't be connecting to production database without a =
valid


reason ... period. And no metter which site writes what, the only way to
incorporate security is to use TOAD security.=3D20 RTFM the TOAD stuff, =
it is


all explained there.



BTW don't give me any roles but grant me 'execute any procedure' and =
give me


2 minutes, I'll probably be able to revoke all your roles ... least I'll
grant myself DBA role ...



Raj






> Is there any problem with developers using Quest Software's TOAD on=20

> production databases? Regardless of the functionality in TOAD, a=20

> developer shouldn't be able to use the DBA functionality in TOAD,=20

> correct? We grant roles to developers and those roles never include

any


> privilesges on SYSTEM or SYS owned objects. What made me ask this =20

>question is a script on www.orafaq.com that shows a way to prevent =20

>developers from using TOAD on production databases. Any thoughts are =20

>appreciated. =3D20

> Venu Potluri

> Oracle Financials DBA=3D20

> --------------------------------------------------------

> =3D20

> If you are not an intended recipient of this e-mail, please notify the

sender, delete it and do


> not read, act upon, print, disclose, copy, retain or redistribute it.

Click here for important


> additional terms relating to this e-mail.

http://www.ml.com/email_terms/=3D20


> --------------------------------------------------------

> =3D20

>=3D20

> ----------------------------------------------------------------

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> ----------------------------------------------------------------

> To unsubscribe send email to:  oracle-l-request_at_freelists.org  put=20

>'unsubscribe' in the subject line.

> --

> Archives are at http://www.freelists.org/archives/oracle-l/

> FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html

> -----------------------------------------------------------------

>=3D20





=3D3D=3D3D=3D3D=3D3D=3D3D


Best Regards


Raj




select mandatory_disclaimer from company_requirements;




        =3D09




Do you Yahoo!?


Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail=3D20




Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org put
'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------=3D20
--------------------------------------------------------
=3D20
If you are not an intended recipient of this e-mail, please notify the =
=3D
sender, delete it and do not read, act upon, print, disclose, copy, =3D =
retain
or redistribute it. Click here for important additional terms =3D
relating to this e-mail.     http://www.ml.com/email_terms/=3D20
--------------------------------------------------------
=3D20
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org put
'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Tue Aug 17 2004 - 10:38:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US