Re: Newbie question on user rights
From: gazzag <gareth_at_jamms.org>
Date: Thu, 19 Nov 2009 08:12:08 -0800 (PST)
Message-ID: <e43d6079-a151-4ada-bf1f-c40ccf88909c_at_d5g2000yqm.googlegroups.com>
On 19 Nov, 15:35, gpadu99 <gpad..._at_gmail.com> wrote:
> Thanks for the quick answer. Is it normal that, the user that an
> application uses to connect to the database, has the DBA role? (I
> think not). Does this explain the fact that this user has access to
> another schema?- Hide quoted text -
>
Date: Thu, 19 Nov 2009 08:12:08 -0800 (PST)
Message-ID: <e43d6079-a151-4ada-bf1f-c40ccf88909c_at_d5g2000yqm.googlegroups.com>
On 19 Nov, 15:35, gpadu99 <gpad..._at_gmail.com> wrote:
> Thanks for the quick answer. Is it normal that, the user that an
> application uses to connect to the database, has the DBA role? (I
> think not). Does this explain the fact that this user has access to
> another schema?- Hide quoted text -
>
Normal? Sadly yes, in my experience. Correct? Definitely not; merely an indication of lazy development.
The DBA role has many privileges associated with it including SELECT ANY TABLE which, as you correctly surmise, is allowing the user you're talking about to see (and update, truncate or even drop!) any table within the database and so is a security risk.
The following query will show you what privileges are given to a particular user/role:
SELECT PRIVILEGE
FROM dba_sys_privs
WHERE grantee='<user_or_role_name>'
ORDER BY privilege;
HTH -g Received on Thu Nov 19 2009 - 10:12:08 CST