Home -> Mailing Lists -> Oracle-L -> Re: Where is this Privilege coming from?

Re: Where is this Privilege coming from?

From: Charlotte Hammond <"Charlotte>
Date: Mon, 4 Nov 2019 20:00:30 +0000 (UTC)
Message-ID: <67395847.1458702.1572897630240_at_mail.yahoo.com> 








 Hi Stefan,


Thanks for there suggestion but I can't see any source text with "EXEMPT ACCESS POLICY" in it.    I guess it could be wrapped and hidden somewhere in the SYS schema but that seems unlikely.  I'll check if there are any objects there that don't appear in other databases of the same version.
I guest the easiest way to check this would be to put a trace on the logon but that's hard for political reasons.
Thanks,Charlotte


    On Monday, November 4, 2019, 07:20:12 PM GMT, Stefan Knecht <knecht.stefan_at_gmail.com> wrote:  
 


 And I think the final possibility - if it's not proxy users - would be that the user calls a package defined with AUTHID DEFINER, but owned by another user that has that privilege.






On Tue, Nov 5, 2019 at 1:59 AM Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk> wrote:




Do you make use of proxy users ?



Do you have any users with this privilege ?



Regards


Jonathan Lewis






From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on behalf of Charlotte Hammond <dmarc-noreply_at_freelists.org>
Sent: 04 November 2019 18:36


To: dmarc-noreply_at_freelists.org; Stefan Knecht
Cc: Oracle-L Freelists


Subject: Re: Where is this Privilege coming from?



Hi Stefan,



Yes - VPD is in use.   We see EXEMPT ACCESS POLICY in the audit trail when any of the tables with a policy on it is accessed by this user.   So that makes sense.   But I just can't figure out how it is getting the privilege in the first place.



Thanks,


Charlotte



On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht <knecht.stefan_at_gmail.com> wrote:




Are you using VPD in that database?



On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> wrote:
Hello All,



In my database audit trail I can see lots of entries for use of the privilege "EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user (a shared account used by the front end application - sessions are created/destroyed dynamically through the day).   The RETURNCODE is 0 for these entries.



However this database user does not have this privilege granted to them either directly or through a role (and the 1 role they have does not have any system privileges).   Also, if I log in directly as this database user using sqlplus I do not have this privilege.   I presume the application is doing something special when it creates the session but I cannot think what!



So where is this privilege coming from to appear in the audit trail?   Any suggestions on how to track this down much appreciated!



Thanks,


Charlotte






--



//


zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net<http://zztat.net/> | _at_zztat_oracle | fb.me/zztat<http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>


--



http://www.freelists.org/webpage/oracle-l







-- 



//zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!Visit us at zztat.net | _at_zztat_oracle | fb.me/zztat | zztat.net/blog/  


--



http://www.freelists.org/webpage/oracle-l
Received on Mon Nov 04 2019 - 21:00:30 CET












Original text of this message