Re: Private Synonyms

From: D'Hooge Freek <Freek.DHooge_at_uptime.be>
Date: Thu, 12 Dec 2013 08:49:08 +0000
Message-ID: <1386838141.647.8.camel_at_dhoogfr-lpt1>

Hi,

Why would that be fishy?
user2 has received access on the underlying object, to which the private synonym points, directly from scott. So, no security breach.

regards,

--

Freek D'Hooge
Uptime
Oracle Database Administrator
email: freek.dhooge_at_uptime.be<mailto:freek.dhooge_at_uptime.be> tel +32(03) 451 23 82
http://www.uptime.be
disclaimer: www.uptime.be/disclaimer.html<http://www.uptime.be/disclaimer.html>

On wo, 2013-12-11 at 18:29 -0500, Dick Goulet wrote: All,

Is there anyone other than myself that doesn't think this is right. For those of you who have missed it, like I did, when Oracle started evolving Fine Grained Access Controls (FGA) the role of private synonyms changed. Try this for starters and I'll make it easy:

install the scott account, we'll need emp.
create another account, any name you like, I'll use user1.
create a third account, I'll call it user2.
as scott grant select on emp to user1.
as scott grant select on emp to user2.
as user1 create a private synonym to scott.emp
as user2 "select * from user1.emp;"

If you go back to a V8 database step 7 above will end in an ORA-00942. If your on V9 or higher, you get data.

Does this sound fishy??? I've opened an itar with Oracle. They referenced note:174368.1 Policies on Synonyms. But this just seems wrong to me. Any other opinion???

Dick Goulet
Senior Oracle DBA.
--

http://www.freelists.org/webpage/oracle-l Received on Thu Dec 12 2013 - 09:49:08 CET

This message: [ Message body ]
Next message: Nuno Souto: "Re: Why I don't like RMAN repositories"
Previous message: goran bogdanovic: "RE: ASM DISKGROUP INFORMATION"
In reply to: Dick Goulet: "Private Synonyms"
Next in thread: Niall Litchfield: "Re: Private Synonyms"
Reply: Niall Litchfield: "Re: Private Synonyms"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message