Re: deny change password to users

> Since you have to submit the command 'alter user blah identified by
> password' in order to change a password, I would have thought that revoking
> the 'alter user' privilege from the relevant users should stop 'em in their
> tracks.
>
> You might find that that privilege has also been granted to 'public', and
> you'd have to revoke it from there before noticing any change.
>
> And if your Users obtain rights from roles, you'd have to revoke the
> privilege from them, too. Potentially.

This is usually the case. Much like with table and index creation where it is easy to use the default and takes a bit more effort to specify storage parameters it is easy to grant CONNECT, RESOURCE, and/or DBA to users but is almost always an equally bad idea.

I strongly urge people I work with to drop those roles and create their own custom roles based on specific classes of users. That way users only get the privileges they are intended to have. There is, for example, a huge difference between granting CONNECT and granting CREATE SESSION though most people think they are synonymous.

Daniel A. Morgan Received on Wed Jan 24 2001 - 00:21:14 CST