Re: Removing ALL_ views from users

From: <>
Date: Tue, 31 Mar 2009 12:10:25 -0400
Message-ID: <>

I had similar request from auditors. I lost half the battle. Instead of dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When developers complained, I asked them to get approval from auditors...never heard back.


"Dennis Williams" <>
Sent by: Mar 31 2009 12:03 PM
Please respond to

"Andrew Kerber" <>
"" <>
Re: Removing ALL_ views from users

Thanks Andrew,  

That was pretty much my first response. Unfortunately this has gone further than that. What I'm asking is:  

     Has anyone removed access to any of the ALL_ views?  

I'm guessing that since the views are PUBLIC, that would need to be revoked first.  


On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <> wrote:
You are talking to an ignorant auditor who thinks the all views show everything in the database. If he seriously thinks that knowing other usernames is a security risk, go ahead and revoke that one, then explain to him that the all* views actually just show objects that each user has access to, not everything in the database. I ran into this before, and the problem was the guy was trained in accounting, not oracle.

On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <> wrote:

Some security auditors are stating that the ALL_ views are a security risk and are recommending that I revoke them. In particular, they are pointing to ALL_USERS as offering a hacker useful information. My guess is that the ALL_ views are granted to PUBLIC. Has anyone had this requirement? Has anyone successfully revoked this access?  


Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

Received on Tue Mar 31 2009 - 11:10:25 CDT

Original text of this message