Re: How do you grant connection permission to a user?

Peter wrote:

> On Mon, 26 May 2003 08:25:17 -0700, Daniel Morgan
> <damorgan_at_exxesolutions.com> wrote:
>
> >Sander Goudswaard wrote:
> >
> >> Peter <peter_at_nomorenewsspammin.ca> wrote in
> >> news:s9p3dvotmmarhun3cng44d59mgifsl4eqj_at_4ax.com:
> >>
> >> > How do you grant connection permission to a user?
> >> > By granting create session privilege?
> >> >
> >>
> >> grant connect to luser;
> >>
> >> - Sander
> >
> >That is not correct. Connect is a role that has absolutely nothing to do
> >with connecting to the database.
> >
> >The role contains the create session privilege which is why it works.
> >
> >The connect role should never be granted to any user and, in fact,
> >should be dropped about as fast as
> >change_on_install.
>
> Are you saying the connect role has to be dropped? How about backward
> compatibility? I have many users with that role..

I wouldn't say "HAS TO BE" dropped anymore than I would say "change_on_install" HAS TO BE" changed.
But I'd say and DBA that doesn't should be escorted to the door and given an invitation to the unemployement
queue. Same thing goes for not dropping CONNECT and RESOURCE.

Backward compatibility is irrelevant as the problem privileges contained in CONNECT and RESOURCE are
almost always never used legitimately. New roles should be created that contain the privileges required:
And nothing more.

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)