| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: CONNECT ROLE
Niall Litchfield wrote:
> "Pete Sharman" <peter.sharman_at_oracle.com> wrote in message
> news:akdl7501qba_at_drn.newsguy.com...
> <of ditching CONNECT>
> > Unfortunately, there's one very simple reason for this. Because we
> haven't got
> > rid of the role. I've been pushing for getting rid of the CONNECT,
> RESOURCE and
> > DBA roles for eons (shows you how far I am up the totem pole, hey?!), but
> > unfortunately there are far too may pieces of software out there (our own
> Apps
> > product used to be one of them, not sure if it still is) that need the
> CONNECT
> > role at least to be installed correctly. What needs to happen is for
> someone to
> > actually come out and say "These roles are going to be desupported in
> version x
> > and obsolete in version y" so that the companies that make software that
> uses
> > them have time to move to the right way of doing things. Who knows when
> we'll
> > see that, though. Not me!
>
> I am not entirely sure I understand the problem with CONNECT (apart from the
> fact that it is woefully misnamed). It seems to me that it is about correct
> for accounts that wish to own tables, create data etc etc. In other words
> its pretty well equivalent to the APP_DEVELOPER role that I am trying to
> institute for my application developers. Now I fully accept that what it
> isn't is a low privilege role that allows users to connect to the database
> (hence the woeful misnaming), but *provided that DBA's know what privileges
> it has* what is so wrong with it. In other wrods is it the role that is
> wrong or the misuse of it.
>
> Or is the argument perhaps, that there should be NO predefined roles
> whatsoever (apart from the special case of SYSDBA)?
>
> --
> Niall Litchfield
> Oracle DBA
> Audit Commission UK
> *****************************************
> Please include version and platform
> and SQL where applicable
> It makes life easier and increases the
> likelihood of a good answer
>
> ******************************************
Have you looked at what is wrapped up in CONNECT?
CREATE DATABASE LINK? Why? Why would anyone want any user to be able to do this?
CREATE CLUSTER? What end-user could possibly have a clue about clusters?
One compromises system security ... the other lacking in any reasonable context.
ROLES should be based on the privileges people need to do their jobs. There is no point in granting an unneeded or unwarranted system privilege.
Daniel Morgan Received on Tue Aug 27 2002 - 13:03:59 CDT
 |
 |