Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Does Oracle Have Anything Similar to SqlServer "Deny" Attribute?

Re: Does Oracle Have Anything Similar to SqlServer "Deny" Attribute?

From: Jared Still <jkstill_at_gmail.com>
Date: Thu, 19 Apr 2007 09:59:36 -0700
Message-ID: <bf46380704190959h28b5a2f3r2f8b82dd92624a0e@mail.gmail.com>


On 4/19/07, Sam Bootsma <sbootsma_at_georgebrown.ca> wrote:
>
> I have recently read the paper "Microsoft SQL Server 2005 for the Oracle
> Professional", and on page 16 of this document it says that "Deny places an
> explicit blocker on a securable … and always takes precedence over all other
> permissions". A securable can be a table. Currently our Developers have
> "select any table" privilege, but I have recently been asked to remove
> access from payroll tables. I can do this via roles, but in our
> environment, there remain lots of ramifications to this. If there was
> something comparable to the "Deny" that Sql Server has, it would greatly
> simply this task.
>

The fact that I am not aware of anything like that in Oracle, doesn't mean it doesn't exist. There have been a lot of new security features in Oracle that I haven't explored, but I don't believe there is an explicit DDL for this.

More to the point, the DENY thing in SQL Server sounds like a workaround to me. It's the whitelist vs. blacklist approach to security, and the DENY is a workaround for the blacklist. (give all privileges and deny the ones folks should not have)

A whitelist is much more secure. It is also more work.

-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Apr 19 2007 - 11:59:36 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US