Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: DBAs, roles and privs

Re: DBAs, roles and privs

From: Joe <nospam_at_joekaz.net>
Date: Mon, 17 May 2004 18:32:02 -0400
Message-ID: <H2bqc.4974$mi2.3075@fe33.usenetserver.com> 





On 05/17/2004 09:40 AM, Daniel Morgan said:


> Pete Finnigan wrote:

> 

> 


>>I am sorry I have to
>>disagree with Daniel, just dropping privileges until something breaks is
>>not a good plan. I have seen this done before and it results in chaos.




> 

> 

> On rereading this ... I have to agree. I was thinking in terms of

> dropping privileges that, after investigation, seemed dangersous and

> irrelevant to the application. So, for example, I'd feel reasonably

> comfortable dropping ADMINISTER SECURITY or DROP TABLESPACE.

> 

> I did not mean to imply that I'd blindly go around dropping privs

> until I finally got to CREATE SESSION.

> 




You can use Oracle's auditing features to get some level of 
assurance before revoking a privilege.   Dba_audit_trail shows you 
what privilege was used to do some action.   So if you are thinking 
of revoking the DROP ANY TABLE privilege, AUDIT DROP ANY TABLE for a 
while, and check the audit trail to see if that privilege was 
actually used for anything.



Still, I think it's best to work with the vendor, and do what they 
recommend.   And if that doesn't match your security policies, write 
it up as an exception, and get both the data owner and your 
management to sign off on it.



-- 
Joe
http://www.joekaz.net/
http://www.cafeshops.com/joekaz


Received on Mon May 17 2004 - 17:32:02 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US