Re: Private Synonyms
Date: Thu, 12 Dec 2013 08:49:08 +0000
Message-ID: <1386838141.647.8.camel_at_dhoogfr-lpt1>
Hi,
Why would that be fishy?
user2 has received access on the underlying object, to which the private synonym points, directly from scott.
So, no security breach.
regards,
--
Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be<mailto:freek.dhooge_at_uptime.be>
tel +32(03) 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer.html<http://www.uptime.be/disclaimer.html>
On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote: All,
Is there anyone other than myself that doesn't think this is right. For those of you who have missed it, like I did, when Oracle started evolving Fine Grained Access Controls (FGA) the role of private synonyms changed. Try this for starters and I'll make it easy:
- install the scott account, we'll need emp.
- create another account, any name you like, I'll use user1.
- create a third account, I'll call it user2.
- as scott grant select on emp to user1.
- as scott grant select on emp to user2.
- as user1 create a private synonym to scott.emp
- as user2 "select * from user1.emp;"
If you go back to a V8 database step 7 above will end in an ORA-00942. If your on V9 or higher, you get data.
Does this sound fishy??? I've opened an itar with Oracle. They referenced note:174368.1 Policies on Synonyms. But this just seems wrong to me. Any other opinion???
Dick Goulet
Senior Oracle DBA.
--
http://www.freelists.org/webpage/oracle-l
Received on Thu Dec 12 2013 - 09:49:08 CET