Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How do you grant connection permission to a user?

Re: How do you grant connection permission to a user?

From: Daniel Morgan <damorgan_at_exxesolutions.com>
Date: Tue, 27 May 2003 10:46:38 -0700
Message-ID: <3ED3A47E.CD35CFB2@exxesolutions.com> 





Richard Foote wrote:



> "Daniel Morgan" <damorgan_at_exxesolutions.com> wrote in message

> news:3ED2AC81.908B577E_at_exxesolutions.com...

>

> > > Are you saying the connect role has to be dropped? How about backward

> > > compatibility? I have many users with that role..

> >

> > I wouldn't say "HAS TO BE" dropped anymore than I would say

> > "change_on_install" HAS TO BE" changed.

> > But I'd say and DBA that doesn't should be escorted to the door and given

> an

> > invitation to the unemployement

> > queue. Same thing goes for not dropping CONNECT and RESOURCE.

> >

> > Backward compatibility is irrelevant as the problem privileges contained

> in

> > CONNECT and RESOURCE are

> > almost always never used legitimately. New roles should be created that

> > contain the privileges required:

> > And nothing more.

> > --

>

> Hi Daniel et all,

>

> I agree with the latter sentiments that one shouldn't be using these

> pre-created roles.

>

> However, in defence of any newbies that do use them (and I see them used

> *all* the time), it's kinda easy to understand why they do get used so often

> when Oracle themselves use them constantly.

>

> A recent example.

>

> I'm currently using Oracle Streams (which is quite nifty incidentally when

> it decides to work) and I thought I'll use OEM to generate some sample

> scripts. Guess what OEM grants the user it creates to administer Streams,

> that's right, Connect, Resource, etc .....

>

> So while Oracle uses them, what chance do newbies have ? If you drop the

> roles, OEM would fail dismally. Actually, OEM fails dismally anyway as the

> scripts were pretty awful and needed much manual changes anyway, but you get

> my point.

>

> Cheers

>

> Richard




With respect to newbies I agree. But I'm not sure that the newbies are not DBAs.
I have worked with DBAs with more than a decade of experience that couldn't
answer the question correctly and still assign CONNECT and RESOURCE.



Their databases reflect it and many of them I could crack in less than five
minutes due to this and other egregious sins of omission. It is amazing how
'unimpressed' a CIO can be when you walk into his office and can get into one of
his HR databases without a password.


--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Tue May 27 2003 - 12:46:38 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US