Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: add new user to oracle ??

Re: add new user to oracle ??

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Sat, 31 Jan 2004 13:25:10 +1100
Message-ID: <401b1207$0$5862$afc38c87@news.optusnet.com.au> 






"Thomas Kellerer" <spam_eater_at_gmx.net> wrote in message
news:bveon3$n50$1_at_svr7.m-online.net...


> Daniel Morgan schrieb:

> > Do not grant the CONNECT, RESOURCE, OR DBA roles.

>

> Why is that?

>

> If we should not use those roles, why do they exist in the first place?

>

> Thomas




The official line is that they are there for "backwards compatibility". In
other words, way back in the past, Oracle created these roles (which have
all sorts of extremely generous privileges granted to them) and a lot of
developers and third-party vendors decided to use them for their
applications instead of doing the decent thing and working out for
themselves which privileges are actually needed by particular users. Oracle
would dearly love to get rid of those roles now but can't, because it would
break all those naughty (and lazily-developed) apps out there.



The strong (and official) advice is not to use them. (Naturally, Oracle
itself still does, because it sometimes gets a bit lazy, too. But just
because they set a bad example, doesn't mean you should follow them).



"Connect", for example, includes such juicy grants as create view, create
table, alter session, create cluster, create database link... and most
people just think they're letting someone connect to their database!!



"Resource" is a bit of a vague term, isn't it... such a shame it happens to
also include things like 'create procedure'.



Now, you might think that these are not too bad, and therefore you're quite
happy to use them. Trouble is, Oracle is on record as saying that they're
deprecated, and that means that at some point in the future, they will
abolish them. So if you've set up your users with them in the meantime, come
the day commeth the hour, no-one will be able to do their regular jobs. So
if you really rather like them, at least do the decent thing and create
roles which are identical copies of the "bad" ones. Oracle can then do its
worst in terms of abolishing them, and your database functionality will not
be affected.



Regards


HJR


-- 
------------------------------------
Oracle insights at www.dizwell.com
------------------------------------


Received on Fri Jan 30 2004 - 20:25:10 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US