Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Global temporary table security

RE: Global temporary table security

From: Mercadante, Thomas F \(LABOR\) <Thomas.Mercadante_at_labor.state.ny.us>
Date: Fri, 18 May 2007 07:40:38 -0400
Message-ID: <ABB9D76E187C5146AB5683F5A07336FFE08DF8@EXCNYSM0A1AJ.nysemail.nyenet> 





Paul,

 



You said it best!  Easier is not better.




The cardinal rule of database security:



Only grant those privs exactly needed by the application.  "Public"
should only be used by Oracle products - never by applications.




Tom

 






This transmission may contain confidential, proprietary, or privileged information which is intended solely for use by the individual or entity to whom it is addressed.  If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, copying or distribution of this transmission or its attachments is strictly prohibited.  In addition, unauthorized access to this transmission may violate federal or State law, including the Electronic Communications Privacy Act of 1985.  If you have received this transmission in error, please notify the sender immediately by return e-mail and delete the transmission and its attachments.








From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Baumgartel, Paul

Sent: Thursday, May 17, 2007 4:55 PM


To: 'sbootsma_at_georgebrown.ca'; oracle-l_at_freelists.org
Subject: RE: Global temporary table security

 



Argh!  "Easier"?  Why not give everyone DBA privileges, then you never
have to worry about grants!

 



Tell the other DBA that regardless of the fact that they're GTTs,
privileges should be granted only as needed.  Period.

 



Paul Baumgartel 


CREDIT SUISSE 



Information Technology 


Securities Processing Databases Americas 
One Madison Avenue 


New York, NY 10010 


USA 



Phone 212.538.1143 


paul.baumgartel_at_credit-suisse.com 


www.credit-suisse.com 

 

 






From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Sam Bootsma

Sent: Thursday, May 17, 2007 4:21 PM


To: oracle-l_at_freelists.org


Subject: Global temporary table security



Hello All,

 



Our Developers are creating Global Temporary tables then granting
select, update, delete, and insert privileges to PUBLIC.  These global
temporary tables will contain sensitive HR data.  I realize the data is
only visible to the current session, but I still don't like having all
privileges granted to PUBLIC.  Can anybody tell me if there is a
credible security risk to granting these tables to PUBLIC?  For example,
due to an Oracle bug or hacking?  Or are there other disadvantages to
granting everything to PUBLIC?  Or is it standard practice to grant
these tables to public?

 



I would like to grant access only to users that will need the table, but
the other DBA prefers to grant PUBLIC, because it is easier.

 



Thanks for any comments!

 

 



Sam Bootsma



Oracle Database Administrator



Information Technology Services


George Brown College



Phone: 416-415-5000 x4933


Fax: 416-415-4836


E-mail: sbootsma_at_georgebrown.ca <mailto:sbootsma_at_georgebrown.ca> 

 







Please access the attached hyperlink for an important electronic
communications disclaimer: 
 


http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html






--
http://www.freelists.org/webpage/oracle-l


Received on Fri May 18 2007 - 06:40:38 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US