| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: CONNECT ROLE
Sybrand Bakker <postbus_at_sybrandb.demon.nl> wrote in message news:<qnfmmu4ruvfebld1n3p509u0shlguurfo8_at_4ax.com>...
> On Tue, 27 Aug 2002 09:15:53 +0100, "Niall Litchfield"
> <n-litchfield_at_audit-commission.gov.uk> wrote:
>
> >I am not entirely sure I understand the problem with CONNECT (apart from the
> >fact that it is woefully misnamed). It seems to me that it is about correct
> >for accounts that wish to own tables, create data etc etc. In other words
> >its pretty well equivalent to the APP_DEVELOPER role that I am trying to
> >institute for my application developers. Now I fully accept that what it
> >isn't is a low privilege role that allows users to connect to the database
> >(hence the woeful misnaming), but *provided that DBA's know what privileges
> >it has* what is so wrong with it. In other wrods is it the role that is
> >wrong or the misuse of it.
> >
> >Or is the argument perhaps, that there should be NO predefined roles
> >whatsoever (apart from the special case of SYSDBA)?
>
>
> How many users, do you think, *really* need the privilege to create a
> table (I'm not referring to sqlserver apps, ported to Oracle ;)
> 1 percent, 2 percent?
> Yet everyone I know grants the CONNECT role indiscriminately to all
> users, while CREATE SESSION priv would have been sufficient.
>
>
> Regards
>
> Sybrand Bakker, Senior Oracle DBA
>
> To reply remove -verwijderdit from my e-mail address
I look at CONNECT role as something which exists in Oracle but should not be touched even with a ten foot pole when it comes to grants...specially enduser grants.
Not everyone needs to have any "CREATE TABLE, VIEW, CLUSTER, SEQUENCE etc" priviliges so granting CONNECT to endusers is asking for trouble. After all, *only* system priviliges endusers need to have are CREATE SESSION and ALTER SESSION. On the other hand, granting CONNECT to developers could also be deceiving as it does not have CREATE PROCEDURE and CREATE TRIGGER priviliges..which needs to be separately granted. Creating one's own role/s, like Niall mentioned, for developers which includes all required CREATE And/Or ALTER priviliges is probably the best way to go. This way access can be controlled by different roles and DBA would know exactly which role has what grants.
I don't think anyone is going to terribly miss CONNECT role if Oracle decided to do away with it... Only people who are going to miss it are the people who Sybrand pointed out as,
> Yet everyone I know grants the CONNECT role indiscriminately to all
> users
and they should not have done it in the first place. Maybe they got suckered into it because of the name or misname.
//Rauf Sarwar Received on Tue Aug 27 2002 - 12:35:34 CDT
 |
 |