Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: CONNECT Role Privileges
DA Morgan wrote:
> The following is quoted from the 10gR2 Beta document.
> =======================================================================
> The connect role privilege reduction feature reduces the number of
> privileges granted to the connect role to one, the CREATE SESSION
> privilege. The privileges have been removed from the connect role:
>
> - CREATE CLUSTER
> - CREATE DATABASE LINK
> - CREATE SEQUENCE
> - ALTER SESSION
> - CREATE SYNONYM
> - CREATE TABLE
> - CREATE VIEW
>
> This feature assists customers in deploying secure configurations by
> helping enforce the least privilege principle.
> =======================================================================
>
> This change may or may not be related to the comments here, and
> elsewhere, with respect to the dangers related to creating users and
> giving them the CONNECT role. But it makes me very happy and I have
> received permission to post it here at c.d.o.server.
>
> So be warned ... if you have been using CONNECT as the lazyman's way
> of creating users with permission to connect to the database ... it
> will not work the same way in the future unless you intentionally
> modify the role. Hopefully no one will but rather will create their
> own custom roles that reflect job titles and responsibilities.
Well finally. Developers will have to learn what roles are about. Are there any changes to resource as well or are the removed priveleges silently added to the resource role?
You know, people insist in grant connect, resource to myuser, and the Oracle Documentation sets some really bad examples (why the hell should the RMAN catalog owner get resource and connect on top of recovery_catalog_owner, as the 10g RMAN Reference suggests?).
But still good to know.
Holger Received on Tue May 31 2005 - 12:37:50 CDT