RE: Privilege

From: Dominic Brooks <dombrooks_at_hotmail.com>
Date: Tue, 7 Mar 2017 19:45:45 +0000
Message-ID: <VI1PR0901MB1437E1B537BEF297ED585539A12F0_at_VI1PR0901MB1437.eurprd09.prod.outlook.com>

Let me cite the docs:

http://docs.oracle.com/database/121/DBSEG/dr_ir.htm

The privileges of the procedure's defined must be granted directly to the procedure owner, not granted through roles. These are called definer's rights.

Sent from my Windows Phone

From: Dominic Brooks<mailto:dombrooks_at_hotmail.com> Sent: �07/�03/�2017 19:40
To: Powell, Mark<mailto:mark.powell2_at_hpe.com>; andrew.kerber_at_gmail.com<mailto:andrew.kerber_at_gmail.com> Cc: oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org> Subject: RE: Privilege

Yep, yep,yep. All missing the point.

The fact is that I'm not allowed an application schema (the one that owns the application code that I'm writing) with that privilege.

So my application code cannot use Dbms_parallel_execute because the dbas sat that the code owning schema cannot have Create job.

Not the first time, not the first place.... But I'm starting to see why this madness is widespread...

Sent from my Windows Phone

From: Powell, Mark<mailto:mark.powell2_at_hpe.com> Sent: �07/�03/�2017 19:31
To: dombrooks_at_hotmail.com<mailto:dombrooks_at_hotmail.com>; andrew.kerber_at_gmail.com<mailto:andrew.kerber_at_gmail.com> Cc: oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org> Subject: Re: Privilege

I will add my opinion that applications should never run as the application owner but rather should run using an application user ID that only has DML privileges to the application tables and execute on stored code granted via a role. This way if the ID is compromised it cannot be used to change the object structures or change stored code for the hacker's usage.

From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Andrew Kerber <andrew.kerber_at_gmail.com> Sent: Tuesday, March 7, 2017 2:18:34 PM
To: dombrooks_at_hotmail.com
Cc: oracle-l_at_freelists.org
Subject: Re: Privilege

Well, it is what Oracle recommends. It is also much easier to manage privileges for entire class of users at once, rather than deal with the privileges individually. For example, when someone changes a job at a company, its a lot easier to revoke a developer role and grant her a manager role that has the appropriate privileges, rather than figure out what privileges specifically need to be revoked and granted.

On Tue, Mar 7, 2017 at 1:01 PM, Dominic Brooks <dombrooks_at_hotmail.com<mailto:dombrooks_at_hotmail.com>> wrote: Can someone explain to me why security policies in multiple global banks (no significance other than they really should know what they are doing) should advocate not granting privileges to application schemas directly only via roles?

In what way is this less/more secure?

All this seems to mean is that there is a bunch of stuff that either i can't do in plsql that I could do via dynamic sql or from sql issued by java application or that I just can't do (e.g. Dbms parallel execute without create job)?

Sent from my Windows Phone

--
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 07 2017 - 20:45:45 CET

This message: [ Message body ]
Next message: Dominic Brooks: "RE: Privilege"
Previous message: Powell, Mark: "Re: Privilege"
Next in thread: Dominic Brooks: "RE: Privilege"
Maybe reply: Dominic Brooks: "RE: Privilege"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message