Re: DBA's as idiots

I called a vendor out on that situation once. While they didn't grant DBA to their application schema, they did explicitly (and unexplicably) grant SELECT on USER$ to it. When the vendor profusely denied my assertion that their app schema had DBA privs, I offered to show them how, but not before I was labeled an obstructionist. Silly security is such an obstruction!

My offer never was accepted. It's unfortunately still probably that way today. Hopefully those with the app password don't know how to Google...

Rich

> I have been on both sides of that conversation. And I have been where this
> DBA may well have been, that is coming up on an implementation date, getting
> ready to go live with real data, and no one especially the vendor has
> bothered to document the reason for all those privileges (like DBA on
> occasion) granted to the application user. And when everyone is too busy to
> document why privileges have been granted, I have often been tempted to do
> what this DBA appears to have done, that is revoke all privileges until
> someone can explain why they have been granted. Wanting to keep my job, I
> have never actually done this, but I have often been tempted.... Though in
> these days of Sarbanes-Oxley, I could definitely see it happening more
> often. I would rather explain why privileges were revoked today, than
> explain to an accountant 6 months down the road why the privileges were
> granted in the first place.

--
http://www.freelists.org/webpage/oracle-l