Home -> Mailing Lists -> Oracle-L -> RE: CREATE DATABASE LINK privilege discussion

RE: CREATE DATABASE LINK privilege discussion

From: Storey, Robert (DCSO) <"Storey,>
Date: Tue, 1 Nov 2011 09:58:53 -0500
Message-ID: <6727A8A8C9EAF343B21C48BF04DB6453723E05_at_dcsosvms01.dcso.org> 





Maybe a bigger trout is needed?



-----Original Message-----


From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Taylor, Chris David

Sent: Monday, October 31, 2011 2:53 PM


To: 'Guillermo Alan Bort'


Cc: 'Joel.Patterson_at_crowley.com'; 'oracle-l_at_freelists.org'
Subject: RE: CREATE DATABASE LINK privilege discussion



I effectively slapped him with a large trout when I told him he was
acting like my 14 year old after he criticized me through IM because he
*assumed* I removed his privs, when in fact he missed a grant - I also
felt the need to point out to him the reason his process broke was
because he failed to identify the grants he needed.
Needless to say, that has *not* helped the situation.
Funny thing is, I've already mentioned replicating the data into both
DEV & PROD so he has access to it.  (We have a dev db that gets rebuilt
from prod every weekend).  That way the data would always exist in prod
and he would always have access to it in the refreshed dev instance.  Of
course, that suggestion hasn't gotten any traction.



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent
effort."


-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.



From: alanbort_at_gmail.com [mailto:alanbort_at_gmail.com] On Behalf Of
Guillermo Alan Bort


Sent: Monday, October 31, 2011 2:41 PM


To: Taylor, Chris David


Cc: Joel.Patterson_at_crowley.com; oracle-l_at_freelists.org
Subject: Re: CREATE DATABASE LINK privilege discussion



Just a crazy thought, but if he ABSOLUTELY NEEDS THE DATA, you can set
up some from of replication (if it's a single table AQ or Streams could
work, GG if you have the license) and let him work off a replica of the
data. Probably he needs a subset of tables and not the entire prod
database. That way you remove the need for him to use db links, you come
out as "solution oriented" and you get those dirty, dirty DB links off
your prod database.



That, or slap the developer with a large trout... your call.



Cheers and HTH


Alan.-



On Mon, Oct 31, 2011 at 4:00 PM, Taylor, Chris David
<ChrisDavid.Taylor_at_ingrambarge.com<mailto:ChrisDavid.Taylor_at_ingrambarge.
com>> wrote:


It's good to know that I'm not off base here.  I knew that it was SOP to
keep devs out of production and creating database links was typically
the purview of the Administrators.  Good to know that I wasn't crazy I
guess.



Thanks,



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent
effort."


-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.



-----Original Message-----


From: Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>


[mailto:Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>]

Sent: Monday, October 31, 2011 1:52 PM


To: Taylor, Chris David;


oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>
Subject: RE: CREATE DATABASE LINK privilege discussion



Hmmm.  This implies that he needs 'real time' data.   But he is
developing, and probably should be working off of 'refreshed' data,
whenever that was... why can't it be old.   I wouldn't think that he has
to have up to the minute data to develop.



Seems like there might be more going on here than development.  Maybe a
little testing, verification .... something.   These databases normally
are refreshed with data utilizing one method or another...   Everyone
seems to want the latest data, normally these users run reports, but
this is still dev.



The list seems to have formed a consensus around the issue, so you can
take that to heart.



Joel Patterson


Database Administrator


904 727-2546<tel:904%20727-2546>



-----Original Message-----


From: Taylor, Chris David


[mailto:ChrisDavid.Taylor_at_ingrambarge.com<mailto:ChrisDavid.Taylor_at_ingra

mbarge.com>]


Sent: Monday, October 31, 2011 9:27 AM


To: Patterson, Joel;


'oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>'
Subject: RE: CREATE DATABASE LINK privilege discussion



He's using a package in the dev database to query data from production
to build result sets in the dev instance which have views built on top
of them.



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent
effort."


-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.




-----Original Message-----


From: Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>


[mailto:Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>]

Sent: Monday, October 31, 2011 8:24 AM


To: Taylor, Chris David;


oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>
Subject: RE: CREATE DATABASE LINK privilege discussion



If he has the password, (hence creating link), then why not just log
directly in?   Things would be faster and easier surely, I mean Shirley.



Joel Patterson


Database Administrator


904 727-2546<tel:904%20727-2546>



-----Original Message-----


From: Taylor, Chris David


[mailto:ChrisDavid.Taylor_at_ingrambarge.com<mailto:ChrisDavid.Taylor_at_ingra

mbarge.com>]


Sent: Monday, October 31, 2011 9:19 AM


To: Patterson, Joel;


'oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>'
Subject: RE: CREATE DATABASE LINK privilege discussion



I *KNOW*.  It's killing me.



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent
effort."


-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.




-----Original Message-----


From: Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>


[mailto:Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>]

Sent: Monday, October 31, 2011 7:56 AM


To: Taylor, Chris David;


oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>
Subject: RE: CREATE DATABASE LINK privilege discussion



I cannot remember anyplace I have ever worked that did not have a policy
against connecting to prod from any other database except another
production database.    Sometimes production connects to dev/test/accp,
but never the other direction.



Joel Patterson


Database Administrator


904 727-2546<tel:904%20727-2546>



-----Original Message-----


From:


oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>


[mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.o

rg>] On Behalf Of Taylor, Chris David


Sent: Saturday, October 29, 2011 11:20 AM
To: 'oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>'
Subject: CREATE DATABASE LINK privilege discussion



I am curious how many of you grant your developers the 'CREATE DATABASE
LINK' privilege in 10g or higher?


We have a production read-only account that is setup to provide support
for troubleshooting production support issues and one of my developers
(out of approximately 20 devs) created a database link from a
development database to production for his application.



Now, this is fast becoming an issue and he keeps complaining that he
needs that privilege and that he should be able to create as many
database links as he wants - wherever he wants (for those environments
he has access to including the production support ID).



We (as an organization) have been sloppy in the past in granting 'CREATE
DATABASE LINK' but thankfully we have developers who normally understand
that you shouldn't use it to create links to a production support id for
app dev.



So how do you handle it?  Is there a good document on what privs app
devs should 'typically' have?  A good industry standards doc or some
such?



Thanks,



Chris Taylor


Sr. Oracle DBA


Ingram Barge Company


Nashville, TN 37205



"Quality is never an accident; it is always the result of intelligent
effort."


-- John Ruskin (English Writer 1819-1900)



CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.



--
http://www.freelists.org/webpage/oracle-l








--
http://www.freelists.org/webpage/oracle-l



--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l


Received on Tue Nov 01 2011 - 09:58:53 CDT












Original text of this message