Re: Where is this Privilege coming from?

From: Stefan Knecht <knecht.stefan_at_gmail.com>
Date: Tue, 5 Nov 2019 02:19:10 +0700
Message-ID: <CAP50yQ9vxCa4J=+Chph-bH=9JE0pAbGsOL_Ywyx7ADD=KfnTvw_at_mail.gmail.com>

And I think the final possibility - if it's not proxy users - would be that the user calls a package defined with AUTHID DEFINER, but owned by another user that has that privilege.

On Tue, Nov 5, 2019 at 1:59 AM Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk> wrote:

>
> Do you make use of proxy users ?
>
> Do you have any users with this privilege ?
>
> Regards
> Jonathan Lewis
>
>
> ________________________________________
> From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on
> behalf of Charlotte Hammond <dmarc-noreply_at_freelists.org>
> Sent: 04 November 2019 18:36
> To: dmarc-noreply_at_freelists.org; Stefan Knecht
> Cc: Oracle-L Freelists
> Subject: Re: Where is this Privilege coming from?
>
> Hi Stefan,
>
> Yes - VPD is in use. We see EXEMPT ACCESS POLICY in the audit trail when
> any of the tables with a policy on it is accessed by this user. So that
> makes sense. But I just can't figure out how it is getting the privilege
> in the first place.
>
> Thanks,
> Charlotte
>
> On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht <
> knecht.stefan_at_gmail.com> wrote:
>
>
> Are you using VPD in that database?
>
> On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond <
> dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> wrote:
> Hello All,
>
> In my database audit trail I can see lots of entries for use of the
> privilege "EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user
> (a shared account used by the front end application - sessions are
> created/destroyed dynamically through the day). The RETURNCODE is 0 for
> these entries.
>
> However this database user does not have this privilege granted to them
> either directly or through a role (and the 1 role they have does not have
> any system privileges). Also, if I log in directly as this database user
> using sqlplus I do not have this privilege. I presume the application is
> doing something special when it creates the session but I cannot think what!
>
> So where is this privilege coming from to appear in the audit trail? Any
> suggestions on how to track this down much appreciated!
>
> Thanks,
> Charlotte
>
>
>
>
> --
> //
> zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
> Visit us at zztat.net<http://zztat.net/> | _at_zztat_oracle | fb.me/zztat<
> http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Nov 04 2019 - 20:19:10 CET

This message: [ Message body ]
Next message: Charlotte Hammond: "Re: Where is this Privilege coming from?"
Previous message: Mladen Gogala: "Re: Sudden Backup Slowdown"
Maybe in reply to: Charlotte Hammond: "Where is this Privilege coming from?"
In reply to Jonathan Lewis: "Re: Where is this Privilege coming from?"
Next in thread: Charlotte Hammond: "Re: Where is this Privilege coming from?"
Reply: Charlotte Hammond: "Re: Where is this Privilege coming from?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message