RE: two instance -- one database
Date: Wed, 24 Sep 2008 12:15:58 -0500 (CDT)
Message-ID: <45045.12.17.117.251.1222276558.squirrel@12.17.117.251>
> I think that COTS applications always have unique concerns. I should have
> been clearer that this is an in-house built app.
>
> But that's a very interesting scenario and approach. Thanks for sharing
> that. I have two questions. Do you include SELECT in DML, sometimes it is
> and.. If you control INS/UPD/DEL via the view only database, I guess that's
> fine, but do you force selects too?
No I don't include SELECT in the category of "DML" since it's not Manipulating anything. I can see restricting the tables from which queries are run being a future requirement, but for now SELECT is wide open.
> Second, why choose to not create any other schemas in our production? You're
> attempting to overcome a security deficiency in the prod database, why not
> create the Gatekeeper schema there? Seems like an aesthetic decision more
> than a practical one.
I'm not sure I follow you. The GRANTs are to PUBLIC, which is a special role that cannot be revoked. How would the gatekeeper prevent access other than perhaps a complex web of triggers?
Rich
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Sep 24 2008 - 12:15:58 CDT