Home -> Mailing Lists -> Oracle-L -> RE: CREATE DATABASE LINK privilege discussion

RE: CREATE DATABASE LINK privilege discussion

From: Taylor, Chris David <ChrisDavid.Taylor_at_ingrambarge.com>
Date: Mon, 31 Oct 2011 07:23:32 -0500
Message-ID: <C5533BD628A9524496D63801704AE56D6A332F0A61_at_SPOBMEXC14.adprod.directory> 





I've definitely considered create a profile and limiting CPU resources.
I've come to find out now that others have coded web apps to connect to production using this ID/PWD that are in production.



Pure laziness.  Both on the developers part and the prior admin's part.



This is going to be *fun* trying to regain control of this and aligning everything with the correct security realms.



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent effort."

-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and delete the contents of this message without disclosing the contents to anyone, using them for any purpose, or storing or copying the information on any medium.




-----Original Message-----


From: Michael Dinh [mailto:mdinh_at_XIFIN.Com] 
Sent: Sunday, October 30, 2011 7:03 AM


To: Taylor, Chris David; 'oracle-l_at_freelists.org'
Subject: RE: CREATE DATABASE LINK privilege discussion



Here's an idea for you.



Create profile, limit the # of sessions per users, configure idle time disconnect, limit resource.



TOAD can spawn multiple sessions when configured to do so.



HTH





From: Taylor, Chris David [ChrisDavid.Taylor_at_ingrambarge.com]
Sent: Saturday, October 29, 2011 8:31 PM
To: Michael Dinh; 'oracle-l_at_freelists.org'
Subject: RE: CREATE DATABASE LINK privilege discussion



I'm in full agreement.  I'm fighting a losing battle it 'seems' with dev's manager too - which is weird.  It is exceedingly strange that 1 Dev complaining about not having access to Production data is reflecting negatively on my image/reputation.  Suddenly I becoming that "guy who is hard to work with" because I'm insistent that this shouldn't be done.



And for the very reasons you mentioned.  I even snapped a screenshot from Grid Control of the activity his session alone was generating.



Frustrating.



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent effort."

-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and delete the contents of this message without disclosing the contents to anyone, using them for any purpose, or storing or copying the information on any medium.




-----Original Message-----


From: Michael Dinh [mailto:mdinh_at_XIFIN.Com]
Sent: Saturday, October 29, 2011 10:48 AM
To: Taylor, Chris David; 'oracle-l_at_freelists.org'
Subject: RE: CREATE DATABASE LINK privilege discussion



If the developers fully understand the concept of database links other than just a simple connection from one database to another, then i would consider granting it to them, but they don't.



Database links connecting DEV/QA to PROD database with read only account can have impact on PROD if huge amount of data being copied.



Another downside is that the database links are not closed leaving the sessions still in PROD.



Data should be pushed to DEV from PROD and not pulled from PROD to DEV.



Just a thought.




From: oracle-l-bounce_at_freelists.org [oracle-l-bounce_at_freelists.org] On Behalf Of Taylor, Chris David [ChrisDavid.Taylor_at_ingrambarge.com]
Sent: Saturday, October 29, 2011 8:20 AM
To: 'oracle-l_at_freelists.org'


Subject: CREATE DATABASE LINK privilege discussion



I am curious how many of you grant your developers the 'CREATE DATABASE LINK' privilege in 10g or higher?
We have a production read-only account that is setup to provide support for troubleshooting production support issues and one of my developers (out of approximately 20 devs) created a database link from a development database to production for his application.



Now, this is fast becoming an issue and he keeps complaining that he needs that privilege and that he should be able to create as many database links as he wants - wherever he wants (for those environments he has access to including the production support ID).



We (as an organization) have been sloppy in the past in granting 'CREATE DATABASE LINK' but thankfully we have developers who normally understand that you shouldn't use it to create links to a production support id for app dev.



So how do you handle it?  Is there a good document on what privs app devs should 'typically' have?  A good industry standards doc or some such?



Thanks,



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent effort."

-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and delete the contents of this message without disclosing the contents to anyone, using them for any purpose, or storing or copying the information on any medium.



--
http://www.freelists.org/webpage/oracle-l






--
http://www.freelists.org/webpage/oracle-l


Received on Mon Oct 31 2011 - 07:23:32 CDT












Original text of this message