Re: developer privs in development (old thread inaccessible)

>I was explaining to students the fact that the roles CONNECT, RESOURCE,
>and DBA should never be granted to anyone on an Oracle system and how
>they should create their own application-organization specific roles
>with combinations of system and object privileges.
>
>Based on our discussion, almost all of of the students are developers
>and DBAs, it became apparent that part of the problem is these three roles.
>
>Most DBAs still assign them and thus never really take the time to
>create a granularity appropriate to the actual needs of the team. They
>give themselves the DBA role and something think, based on its name, it
>is inappropriate or dangerous in the hands of developers. What they
>should more properly realize is that it contains privileges irrelevant
>to DBAs too. DBA roles should be created, just like end-user an
>developer roles to ONLY enable those privileges actually required.
>

Exactly Daniel!!

Least privilege principle for users and also why not least privilege principle for admin staff - not all DBA's need every privilege in the system all of the time. I suggested the same as you for DBA's to create DBA roles that match the day to day tasks and also i suggest to not use the connect and resource roles and instead to build your own in my book "Oracle security step-by-step"

good point Daniel.

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.