Re: [QUARANTINE] Re: Re: developer access to alter procedure

From: Guillermo Alan Bort <>
Date: Wed, 8 Feb 2012 21:29:10 -0300
Message-ID: <>

That way lays SQL Injection.
Also, why are developers modifying stuff in a productive environment? I am working to remove even readonly access from our prod databases to the developers!

You should have a repository (svn?) with the procedure creation scripts and set up a way to release them (manually, scripted, etc).

Anyway, granting an untrusted user (i.e. not a DBA) the ability to alter a single procedure in another schema potentially gives him the ability to run anything with that schema's privileges, which is generally a bad idea.


On Wed, Feb 8, 2012 at 8:16 PM, Jeff Chirco <> wrote:

> Thanks, yours and Andy's examples make sense but not really what I am
> looking for. Say I have user JEFF who wants to create or change a
> procedure that is owned under Schema B, but I don't want JEFF to be able to
> change any procedure under B. I guess maybe if I took your similar
> approach and created a procedure which had a parameter as a clob or
> external file which is code they wanted compiled and then did a execute
> immediate. But that is pretty cumbersome and my developers will give me a
> lot of grief.
> I wish you could just say something like this.
> Grant create any procedure under schema B to JEFF;
> Grant alter procedure b.my_procedure to JEFF;

Received on Wed Feb 08 2012 - 18:29:10 CST

Original text of this message