Re: Granting 'connect' role- which 7 privilages it gives ?

Laurent Schneider wrote:
> hopefully (!), CONNECT is granting only CREATE SESSION in 10gR2.
>
> have fun
> Laurent

Lest I forget again you really should not be granting CONNECT or RESOURCE to any user. User management means managing the permissions a user is allowed, and using roles such as RESOURCE and CONNECT, especially when one is not familiar with which privileges they supply, is simply not responsible in my opinion. These two roles grant the following system privileges:

CONNECT includes the following system privileges: ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE SEQUENCE, CREATE SESSION, CREATE SYNONYM, CREATE TABLE, CREATE VIEW RESOURCE includes the following system privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE Most users do not need such a broad range of privileges, and making such sweeping grants is clearly a sign, in my opinion, of laziness, as roles created by Oracle, in sql.bsq, which are generally used by Oracle to create administrative users for the various options one can install, as well as for creating the SYS and STSTEM users, are being used for general users to the database. You didn't know until you ASKED which privileges were included with the CONNECT role. This, again, is an excellent example of poor user management in my estimation.

Create less generous roles for general user management and stop using CONNECT and RESOURCE. Oracle has changed the permissions list for these roles in 10g and will probably continue to do so. Reliance on roles not intended for general use can only create problems later.

David Fitzjarrell Received on Mon Oct 03 2005 - 09:34:52 CDT