Re: Using SET CURRENT_SCHEMA for DDL and DCL
Date: Sun, 16 Nov 2014 15:32:05 +0000
Message-ID: <1416151948210.23188_at_aston.ac.uk>
I don't see the relevance since sysdba can just create it as HEMANT.XYZ & issue grants anyways.
GRANT CONNECT THROUGH is another story.
Regards,
Mike
From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Hemant K Chitale <hemantkchitale_at_gmail.com> Sent: 16 November 2014 15:23
To: ORACLE-L
Subject: Using SET CURRENT_SCHEMA for DDL and DCL
I am familiar with ALTER SESSION SET CURRENT_SCHEMA to define the scope for all queries and DML in a current session. Thus schema "OWNER" can grant privileges to account "USER" and account "USER" can login as himself and invoke ALTER SESSION SET CURRENT_SCHEMA to define the scope for object-resolution without using Synonyms.
Have you seen or would you condone this :
CONNECT / AS SYSDBA
ALTER SESSION SET CURRENT_SCHEMA = 'HEMANT'
CREATE TABLE XYZ
GRANT SELECT ON XYZ TO 'CHITALE'
Such that
a. The DBA does not need the password for 'HEMANT' b. The DBA expects the table XYZ to be created in the 'HEMANT' schema c. The DBA expects HEMANT to grant SELECT privilege to CHITALE
Frankly, I am uncomfortable with this as it doesn't seem proper. I would rather have the DBA get the password for the 'HEMANT' account from the password vault and login as HEMANT to execute the CREATE and GRANT commands.
What is your opinion ?
--
Hemant K Chitale
http://hemantoracledba.blogspot.com
http://hemantscribbles.blogspot.com
--
http://www.freelists.org/webpage/oracle-l
Received on Sun Nov 16 2014 - 16:32:05 CET