Re: [QUARANTINE] Re: Re: developer access to alter procedure
Date: Wed, 8 Feb 2012 21:29:10 -0300
That way lays SQL Injection.
Also, why are developers modifying stuff in a productive environment? I am working to remove even readonly access from our prod databases to the developers!
You should have a repository (svn?) with the procedure creation scripts and set up a way to release them (manually, scripted, etc).
Anyway, granting an untrusted user (i.e. not a DBA) the ability to alter a single procedure in another schema potentially gives him the ability to run anything with that schema's privileges, which is generally a bad idea.
On Wed, Feb 8, 2012 at 8:16 PM, Jeff Chirco <JChirco_at_innout.com> wrote:
> Thanks, yours and Andy's examples make sense but not really what I am
> looking for. Say I have user JEFF who wants to create or change a
> procedure that is owned under Schema B, but I don't want JEFF to be able to
> change any procedure under B. I guess maybe if I took your similar
> approach and created a procedure which had a parameter as a clob or
> external file which is code they wanted compiled and then did a execute
> immediate. But that is pretty cumbersome and my developers will give me a
> lot of grief.
> I wish you could just say something like this.
> Grant create any procedure under schema B to JEFF;
> Grant alter procedure b.my_procedure to JEFF;