Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: developer privs in development (old thread inaccessible)

Re: developer privs in development (old thread inaccessible)

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sat, 06 Dec 2003 13:12:51 -0800
Message-ID: <1070745202.990303@yasure> 





Paul Drake wrote:



> Hi Daniel.

> 

> I am unable to reply to the thread where your post was 85th.

> I'm including the 

> 

> ===========================================================

> 

> 

> 


>>On 5 Dec 2003, drak0nian_at_yahoo.com wrote:
>>
>>
>>
>>>the problem with granting an app_owner schema the role DBA is
>>>that then the application is coded depending upon the DBA role
>>>(and usually, all of the sys_privs that are in that role, that
>>>the account invariably grants itself directly). it is such a
>>>PITA to get changes made to remove queries that hit the dba_
>>>views (such as dba_cons_columns for RI errors). If the
>>>developers can't code against the dba_% views, but are limited
>>>to the all_ views, you don't have as many issues when the code
>>>runs on a qa db where the app owner account does not have the
>>>DBA role granted to it.
>>
>>
>>You are missing my point.  I never want the user that the
>>application will log in as to have anything but the priviledges
>>that will be granted to it in public.  What I want is a user that
>>has dba priviledges (or a form thereof) that can be used by me
>>and the development crew for the sole purpose of modifying the
>>database for developing the app.  I, most definitely, want to
>>hamper the application schema exactly as I plan to in production.
>>




> 

> 

> What Paul Drake and so many others miss is that the security policy of

> a

> company should be a written document. And the security rights and 

> priviileges of an application should be part of a written

> specification.

> 

> If developers are required to create or modify applications based on 

> those two documents then no application they create or modify can 

> possibly violate the agreed security policies and specifications.

> 

> The only thing the developers could possibly do is make their jobs a

> bit

> easier. Little things like looking up reserved words, checking to make

> sure that all of their dynamic SQL is using bind variables, looking at

> the numbers of hard and soft parses: In short all of the things Tom

> Kyte

> does on his asktom website to demonstrate that things are working as 

> they should.

> 

> The sad fact is, and since I don't know you Paul I'm not pointing at

> you

> so don't take this personally, the DBAs that are most paranoid about 

> giving developers privileges in development environments, are the DBAs

> that know the least about development: The ones that can't actually 

> write and debug PL/SQL.

> 




Just fine. I look forward to it.


-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Sat Dec 06 2003 - 15:12:51 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US