Re: access to dbms_fga package on shared server

From: Mark D Powell <>
Date: Mon, 12 May 2008 06:42:28 -0700 (PDT)
Message-ID: <>

On May 12, 9:30 am, "" <> wrote:
> Comments embedded.
> On May 12, 8:03 am, maxim2k <> wrote:
> > Hi,
> > I manage an Oracle Database 10g R2 on Red Hat Enterprise Linux 4, the
> > server is shared between a few customers: each customer has access
> > (CONNECT and RESOURCE priveges) to his own schema only, he cannot access
> > other customers objects.
> I can only presume this access is through the schema owner.  Is this
> the ONLY account accessing this users objects?
> > One of our customers just asked EXECUTE privilege on the dbms_fga package.
> Which should not be an issue.  My question is this: if there is only
> ONE user account which  can access these user objects what good does
> having execute privilege on dbms_fga provide?  This is used to provide
> Fine-Grained Access (fga) to database objects based upon a user id.
> If only ONE user id accesses these objects I can see no purpose in
> granting access to this package.
> > I'm new to this package and I'm not sure what would be the consequences
> > of such grant.
> None, really, as normally it restricts/audits user access to objects
> not owned by that user.
> > Can I safely grant that to the customer in question without compromising
> > the security of other customers data on the shared server?
> Certainly, however I see little, if any, benefit to this if my
> understanding of this configuration (one user account per customer) is
> correct.
> > Thanks.
> David Fitzjarrell

To add to what David posted ask the customer what he or she intends to do. It the customer application passes in the 'real' user then the customer may be trying to capute who really performed a change or may actually want to use the dbms_rls package.

Personally I do not think customers should have the ability to create objects in a production environment. If this is a valid activity for the application then I would want the object creation handled via a package referenced via a provided screen interface.

HTH -- Mark D Powell -- Received on Mon May 12 2008 - 08:42:28 CDT

Original text of this message