Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Using current_schema allows too much access

Re: Using current_schema allows too much access

From: Thomas Kyte <tkyte_at_us.oracle.com>
Date: 19 Jun 2001 05:20:05 -0700
Message-ID: <9gng1l0v1p@drn.newsguy.com> 






In article <bafba412.0106181126.1ddd6027_at_posting.google.com>,
stevens_at_coloradocustomware.com says...


>

>I am trying to change our application from a application sercurity

>model, to indeividual database users using Oracle's security.  I can

>solve the problem of accessing the applications schema by using alter

>session set current_schema = xxx.  One side effect is users could

>potentially access the application schema using an ad-hoc tool with

>full rights to modify data.

>

>Does anyone have any ideas how to get around that?




Great confusion here on my part.



ALTER SESSION SET CURRENT_SCHEMA=xxx



does not change your privelege set -- you have given the end users nothing new
here.  You've only made it such that:



   select * from t



is intrepreted as



   select * from xxx.t



thats it -- if the user could not execute "select * from xxx.t", altering the
current schema will not make it so they can.  current schema does NOT affect
priveleges.



So, can you be more clear as to the problem??  Current Schema is a neat way to
avoid synonyms but conveys no additional priveleges.


--
Thomas Kyte (tkyte@us.oracle.com)             http://asktom.oracle.com/ 
Expert one on one Oracle, programming techniques and solutions for Oracle.
http://www.amazon.com/exec/obidos/ASIN/1861004826/  
Opinions are mine and do not necessarily reflect those of Oracle Corp 


Received on Tue Jun 19 2001 - 07:20:05 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US