Re: Private Synonyms

From: D'Hooge Freek <>
Date: Thu, 12 Dec 2013 08:49:08 +0000
Message-ID: <1386838141.647.8.camel_at_dhoogfr-lpt1>


Why would that be fishy?
user2 has received access on the underlying object, to which the private synonym points, directly from scott. So, no security breach.



Freek D'Hooge
Oracle Database Administrator
email:<> tel +32(03) 451 23 82

On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote: All,

    Is there anyone other than myself that doesn't think this is right. For those of you who have missed it, like I did, when Oracle started evolving Fine Grained Access Controls (FGA) the role of private synonyms changed. Try this for starters and I'll make it easy:

  1. install the scott account, we'll need emp.
  2. create another account, any name you like, I'll use user1.
  3. create a third account, I'll call it user2.
  4. as scott grant select on emp to user1.
  5. as scott grant select on emp to user2.
  6. as user1 create a private synonym to scott.emp
  7. as user2 "select * from user1.emp;"

If you go back to a V8 database step 7 above will end in an ORA-00942. If your on V9 or higher, you get data.

Does this sound fishy??? I've opened an itar with Oracle. They referenced note:174368.1 Policies on Synonyms. But this just seems wrong to me. Any other opinion???

Dick Goulet
Senior Oracle DBA.
-- Received on Thu Dec 12 2013 - 09:49:08 CET

Original text of this message