| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Creating a 'helpdesk' user
I think your best approach is probably doing all this thru an application
and restricting what Helpdesk can do that way. Also consider using product
profiles etc
Hth
lawrence
"Vikas Agnihotri" <fornewsgroups_at_vikas.mailshell.com> wrote in message
news:902027f8.0108170602.477f40e4_at_posting.google.com...
> postbus_at_sybrandb.demon.nl (Sybrand Bakker) wrote in message
news:<a20d28ee.0108160051.7f87a05_at_posting.google.com>...
> > fornewsgroups_at_vikas.mailshell.com (Vikas Agnihotri) wrote in message
news:<902027f8.0108151213.7b50b877_at_posting.google.com>...
> > > This is working fine. But few problems:
> > >
> > > 1. They cannot grant 'create table' to a new user they create. To do
> > > this, I would need to 'grant create table to helpdesk WITH ADMIN
> > > OPTION'. I dont want to do this because I dont want HELPDESK to create
> > > tables.
> > >
> > > Is there a way to grant just the admin option part i.e. allow them to
> > > grant CREATE TABLE to others but not be able to create tables
> > > themselves.
> > >
> > > 2. The main and (surprising) problem with the above is this:
> > >
> > > Even though HELPDESK is a non-DBA user created expressly for user
> > > creation, HELPDESK can create a new user and grant DBA to the user and
> > > thus have a DBA access to the database!
> > >
> > > This seems silly. What am I missing? How can it be so easy to subvert
> > > Oracle's security? Oracle's GRANT ANY ROLE system privilege should
> > > have the intelligence to not grant DBA. Otherwise, whats the point of
> > > this system privilege? Granting it to anyone is akin to giving them
> > > DBA access.
> > >
> > > Anyway, lets take it one step back. Maybe I need to re-think my whole
> > > appproach.
> > >
> > > Does anyone have any ideas on how to accomplish what I want? i.e.
> > > create a helpdesk user to create new users, modify them, grant
> > > *application* roles to them (defined by us)?
> > >
> > > Thanks
> >
> >
> > DBA is *not* a system privilege, it is a *role* since 7.0
>
> Yes, I know. Does anything I wrote above imply that I am not aware of
> this?
>
> Please read my post carefully. DBA being a role and not a system
> privilege has nothing to do with this.
>
> Ah..you must be referring to my statement above "Oracle's GRANT ANY
> ROLE system privilege should have the intelligence to not grant DBA.
> Otherwise, whats the point of this system privilege?"
>
> My "whats the point of" refers to the GRANT ANY ROLE system privilege
> and not the DBA *role. I thought it was pretty clear from the context
> of the 2 sentences.
>
> My question still stands.
>
> How can I create a 'helpdesk' user to create user users, modify them,
> grant application roles to them (Defined by us)?
>
> I thought that the GRANT ANY ROLE *system privilege* would be perfect
> for this.
>
> But as I found out, this gives HELPDESK the ability to create a new
> user, GRANT the DBA *role* to the user and bingo, get dba access to
> the database! How to prevent this?
>
> > Please read your docs before you start shouting.
>
> Obviously, you just took a quick glance at my post and fired off your
> usual caustic response. You seem to do this with many of my posts.
> What do you have against me anyway? If you do not want to help me,
> just dont post anything.
Received on Tue Aug 21 2001 - 21:20:20 CDT
 |
 |