Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: grant resource

Re: grant resource

From: <psharman_at_us.oracle.com>
Date: Wed, 20 Oct 1999 14:31:36 -0700
Message-ID: <380E34B8.F6CB9F9C@us.oracle.com>


Ah, don't ya just love hair splitting? You're right, but however it's done the end result is the same.

As far as your question about DBA's being instructed to do so in the courses, or is it just the name of this two roles so misleading, I think the problem has two sources. One is sheer laziness, because it's easier to do it this way. The other is probably a direct result of the first. Oracle software installs use it. Is this the best approach? No, but until the roles are removed altogether, I don't think you'll ever see the problem go away.

In my days as a DBA instructor, I always mentioned it would be safer to not use these, but probably 80% of the DBA's I had come through the training weren't concerned enough about the security risk to do anything about it.

Pete

Jurij Modic wrote:

> On Wed, 20 Oct 1999 11:54:45 -0700, Pete Sharman
> <psharman_at_us.oracle.com> wrote:
>
> >Sybrand is correct. As to why they haven't mapped the roles correctly
> >to equivalent privileges, only the developer who did this could tell
> >you. Basic advice is to create your own roles that grant the right
> >privileges, then use those.
>
> Don't want to be hair-splitting, but Sibrand was not totally correct.
> The fact is that UNLIMITED TABLESPACE privilege is not granted to the
> RESOURCE role, it is implicitly granted directly to the user who has
> been granted this role (as Michael Cadod correctly states in his
> reply). Why it is implemented this way is beyond my imagination....
>
> I agree with you about creating own roles instead of CONNECT and
> RESOURCE. On any serious installation I would even drop both of this
> two roles as their names are somewhat misleading and contain some
> quite powerful (maybe even dangerous) privileges. Back in Oracle6 when
> there were no roles, this two privileges were providing just what
> their names suggested. But from Oracle7 on, this two roles has almost
> nothing in common with their names.
>
> I could even understand someone who came from Oracle6 world to grant
> this roles to users as a (bad) habit from the old days, but I can't
> understand new DBAs to use this two roles all the time, without even
> knowing what is hidden in them. Are they instructed to do so in the
> courses, or is it just the name of this two roles so misleading?
>
> >Pete
>
> Regards,
>
> Jurij Modic <jmodic_at_src.si>
> Certified Oracle DBA (7.3 & 8.0 OCP)
> ================================================
> The above opinions are mine and do not represent
> any official standpoints of my employer
Received on Wed Oct 20 1999 - 16:31:36 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US