Re: Privileges by session
Date: Thu, 7 Jan 2010 13:15:33 -0800 (PST)
OK, maybe I'm just evil, but I've gone through this at the last company I was lead DBA at. I was hired with the intention of having me lock down the environment, (they didn't break that to me until a couple weeks in, to be honest...:)) I actually started auditing the databases with my own scripts, tracking the osuser/vs. logins and started to report them, along with the risks. It's not fun and you aren't most people's favorite person, but most developers actually started to appreciate it by the end of my tenure there.
Not sure if it will work, but you may want to look into different authid options: http://www.adp-gmbh.ch/ora/plsql/authid.html
I have always used them with specific user logins, but you may be able to pull the rights right out from under them at the session level this way, too!
"Go away before I replace you with a very small and efficient shell script..."
- On Thu, 1/7/10, Blanchard, William <wblanchard_at_societyinsurance.com> wrote:
From: Blanchard, William <wblanchard_at_societyinsurance.com>
Subject: Privileges by session
Date: Thursday, January 7, 2010, 1:21 PM
I have convinced management to allow me to grant read-only access to the developers. The problem is that they know the application passwords and have been using those passwords to circumvent my controls. Is there a way via a trigger, role, etc to change individual sessions privileges so they have read only (select) permissions? The easiest way would be to change the permissions on the applications but that's not an option. Thank you,
WGB - This email and any information, files, or materials transmitted with it are confidential and are solely for the use of the intended recipient. If you have received this email in error, please delete it and notify the sender.