Re: Question about the APEX Admin account.
Date: Wed, 29 Jun 2011 15:32:50 -0300
Message-ID: <BANLkTinS9kBtdOd3OJjX3LRcWE9+k_d-gg_at_mail.gmail.com>
There are two things to keep in mind.
the apex 'ADMIN' account is an app level account, so it has power over apex and thus can only affec applications. Developers should be vetted and applications should be reviewed.
As Rich mentioned the FLOWS_**** accounts are very powerful and locked and they should be kept locked. The main security concern on the database level is that someone might create an object through apex developer interface or that someone may inject an application and modify data they are not supposed to. This comes down to good application design and the risks are reduced by only deploying the runtime on productive environments. (and the full development on dev, of course).+
hth
Alan.-
On Wed, Jun 29, 2011 at 2:59 PM, Rich Jesse < rjoralist2_at_society.servebeer.com> wrote:
> GBA writes:
>
> > Can you list potential unwanted behavior at the database level (adding,
> > dropping, configuration changes) caused by someone having access to the
> APEX
> > ADMIN account?
>
> If you're talking about the APEX account, it has full control over just
> about everything APEX, including the ability to insert backdoors into the
> DB
> via an APEX app.
>
> > The apex schema has some powerful database privileges and the APEX ADMIN
> > account (which I think operates on top of that schema) might be able to
> > somehow take advantage of them.
>
> Again you're a little fuzzy here, but if you mean the "FLOWS_{version}"
> database user, it should be locked as it is both unnecessary and a huge
> risk
> to keep open. And, yes, it has many DBA-level privs granted to it.
>
> > Am I getting too paranoid about it?
>
> Not at all. It's an admin account. For admins only.
>
> GL!
>
> Rich
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jun 29 2011 - 13:32:50 CDT