Re: Removing ALL_ views from users

From: Dennis Williams <oracledba.williams_at_gmail.com>
Date: Tue, 31 Mar 2009 16:03:34 -0500
Message-ID: <de807caa0903311403v291d08bcrb294bedcd74854f6_at_mail.gmail.com>

Mayen,

Just so I understand you correctly, you took a list of each of the ALL_ views, and revoked each of them from PUBLIC? Any database problems afterward? Which database version?

Thanks,
Dennis

On Tue, Mar 31, 2009 at 11:10 AM, <Mayen.Shah_at_lazard.com> wrote:

>
> I had similar request from auditors. I lost half the battle. Instead of
> dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When
> developers complained, I asked them to get approval from auditors...never
> heard back.
>
> Thanks
> Mayen
>
>
>
>
>
> *"Dennis Williams" <oracledba.williams_at_gmail.com>*
> Sent by: oracle-l-bounce_at_freelists.org
>
> Mar 31 2009 12:03 PM Please respond to
> oracledba.williams_at_gmail.com
>
> To
> "Andrew Kerber" <andrew.kerber_at_gmail.com>
> cc
> "oracle-l_at_freelists.org" <oracle-l_at_freelists.org> Subject
> Re: Removing ALL_ views from users
>
>
>
> Thanks Andrew,
>
> That was pretty much my first response. Unfortunately this has gone further
> than that. What I'm asking is:
>
> Has anyone removed access to any of the ALL_ views?
>
> I'm guessing that since the views are PUBLIC, that would need to be revoked
> first.
>
> Thanks,
> Dennis
>
> On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <*andrew.kerber_at_gmail.com*<andrew.kerber_at_gmail.com>>
> wrote:
> You are talking to an ignorant auditor who thinks the all views show
> everything in the database. If he seriously thinks that knowing other
> usernames is a security risk, go ahead and revoke that one, then explain to
> him that the all* views actually just show objects that each user has access
> to, not everything in the database. I ran into this before, and the problem
> was the guy was trained in accounting, not oracle.
>
>
> On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <*
> oracledba.williams_at_gmail.com* <oracledba.williams_at_gmail.com>> wrote:
> List,
>
> Some security auditors are stating that the ALL_ views are a security risk
> and are recommending that I revoke them. In particular, they are pointing to
> ALL_USERS as offering a hacker useful information. My guess is that the ALL_
> views are granted to PUBLIC. Has anyone had this requirement? Has anyone
> successfully revoked this access?
>
> Dennis
>
>
>
> --
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 31 2009 - 16:03:34 CDT

This message: [ Message body ]
Next message: Jared Still: "Re: OID Dynamic Discovery"
Previous message: Jared Still: "database monitoring tools - what is your short list of requirements?"
In reply to: Mayen.Shah_at_lazard.com: "Re: Removing ALL_ views from users"
Next in thread: Guillermo Alan Bort: "Re: Removing ALL_ views from users"
Reply: Guillermo Alan Bort: "Re: Removing ALL_ views from users"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message