Re: grant create any directory to schema

I definitely agree withave MJ. %ANY% privileges will be a finding during an audit. Rob 

Sent from my T-Mobile 4G LTE Device

• Original message -------- From: MJ Mody <emjay.mody_at_gmail.com> Date: 12/21/2015 7:32 PM (GMT-05:00) To: backseatdba_at_gmail.com Cc: oracle-l_at_freelists.org Subject: Re: grant create any directory to schema

A similar question was asked to me as part of an interview for an IS Auditor position. My response was to create multiple directories and grant read, write privileges as needed on a per user basis. This goes inline with least privilege access model. You are definitely right about the security and if your firm gets audited, this would end up as a finding as ANY privileges are recommended to be hardened.

Best
MJ

> On Dec 21, 2015, at 6:20 PM, Jeff Chirco <backseatdba_at_gmail.com> wrote:
>
> I have some developers that want to give the CREATE ANY DIRECTORY privilege to a schema (a locked schema in production).  They reason is because they would like to use the same directory name but change its location based on the OS user that is logged in.  So a file will get read or created in that users home directory. 
> To me this seems like a security issue because then in Test/Dev a programmer could change the code to point at any directory they wanted to read potential sensitive data.
> Has anybody dealt with something like this?  Is there a way to restrict them (by user) to only creating a directory within a certain folder structure?
>
> Jeff

--
http://www.freelists.org/webpage/oracle-l




--
http://www.freelists.org/webpage/oracle-l