| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: CONNECT Role Privileges
Holger Baer wrote:
> Well finally.
My feeling exactly.
> Developers will have to learn what roles are about. Are there
> any changes to resource as well or are the removed priveleges silently
> added to the resource role?
To the best of my knoweldge no change was made to RESOURCE although I made plea for that change in 10gR3 should there be one. And if not 10gR3 in 11. The security risk created by these three default roles exceeds any possible value they might contain.
> You know, people insist in grant connect, resource to myuser, and the
> Oracle Documentation sets some really bad examples (why the hell should
> the RMAN catalog owner get resource and connect on top of
> recovery_catalog_owner, as the
> 10g RMAN Reference suggests?).
>
> But still good to know.
>
> Holger
I am hopeful that Sarbanes-Oxley, HIPAA, and the obvious threat of laws and litigation related to data theft will lead Oracle to tighten up some of the default install practices.
With 10g they finally got around to killing CHANGE_ON_INSTALL. I would very much like to see these roles pounded into dust too. And then the next item on my list will be a change so that when Oracle installs the default will be resource_limit = TRUE and the default profile will include the VERIFY_FUNCTION function as well as limitations on password expiration, password reuse, etc.
Oracle is already more secure than its competition out of the box. That does not mean best practices shouldn't be the default.
-- Daniel A. Morgan http://www.psoug.org damorgan_at_x.washington.edu (replace x with u to respond)Received on Tue May 31 2005 - 13:23:31 CDT
 |
 |