Re: OK to revoke privileges from SYS or DBA?

"DA Morgan" <damorgan_at_x.washington.edu> wrote in message news:1102438184.125096_at_yasure...
> Anurag Varma wrote:
>
> > "DA Morgan" <damorgan_at_x.washington.edu> wrote in message news:1102389346.899684_at_yasure...
-snip-
> >>>Anurag
> >>
> >>Because they are security holes. Perhaps it is just me but I read
> >>scripts before I run them and edit them where appropriate.
> >>
> >>I absolutely fail to see why anyone would grant CONNECT knowing it
> >>is giving each and every end user the ability to create a database
> >>link. It may not be a problem where many of you work ... but in a
> >>security conscious environment ... it just makes no sense: At least
> >>to me.
> >>--
> >>Daniel A. Morgan
> >>University of Washington
> >>damorgan_at_x.washington.edu
> >>(replace 'x' with 'u' to respond)
> >
> >
> > Fine. Then tell me what privs you would really grant the outln, wmsys, oem_monitor, logstdby_administrator and csmig users? ..
if
> > you
> > plan on dropping connect, resource from your database
> > What would you edit the above lines to?
> > How would you figure out what privs to grant by looking at a wrapped pl/sql code (see owmctab.plb above)?
> > mind reading I guess!
> >
> > Anurag
>
> It might be the exact same privs that are in CONNECT and RESOURCE. I
> would have to make that decision when the time came. But I wouldn't
> do it with the default role names that the entire world knows.
>
> So I would create my own roles and then substitute those names for
> CONNECT and RESOURCE.
> --
> Daniel A. Morgan
> University of Washington
> damorgan_at_x.washington.edu
> (replace 'x' with 'u' to respond)

Oh ok. So you'll create roles with the same exact privs and will feel your db is secure.

Excellent!

Anurag Received on Tue Dec 07 2004 - 18:13:46 CST