Return-Path: Received: from ensim.rackshack.net (root@localhost) by orafaq.net (8.11.6/8.11.6) with ESMTP id h028xNp01269 for ; Thu, 2 Jan 2003 02:59:23 -0600 X-ClientAddr: 209.68.248.164 Received: from newsfeed.cts.com (newsfeed.cts.com [209.68.248.164]) by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h028xNc01264 for ; Thu, 2 Jan 2003 02:59:23 -0600 Received: from fatcity.UUCP (uucp@localhost) by newsfeed.cts.com (8.9.3/8.9.3) with UUCP id VAA45412; Wed, 1 Jan 2003 21:41:28 -0800 (PST) Received: by fatcity.com (26-Feb-2001/v1.0g-b72/bab) via UUCP id 005251FE; Wed, 01 Jan 2003 21:03:38 -0800 Message-ID: Date: Wed, 01 Jan 2003 21:03:38 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: =?ISO-8859-1?Q?Mogens_N=F8rgaard?= Sender: root@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: =?ISO-8859-1?Q?Mogens_N=F8rgaard?= Subject: Invoker-rights/definer-rights response from Oracle Development Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 72; ListGuru (c) 1996-2001 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------010500090301040004060903" --------------010500090301040004060903 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Good morning, A few days ago there was a debate about the issue with invoker/definer-stuff. I wrote to Mary Ann Davidson, who's responsible for Oracle security things (she's the female guru you may have seen on the big posters at Oracle World both in Copenhagen and San Francisco). So I forwarded the thread to her, and here's the response from Paul Needham of her team (who by the way was impressed with the knowledge level of the list contributors). Mogens ------------------------------------------------------------------------ The invoker-rights functionality was developed to allow code to be shared across multiple schemas. The definer-rights functionality sometimes required that the same stored procedure exist in multiple locations, creating maintenance headaches. The invoker-rights model solves this problem. Most applications are designed such that the data and application program units reside in the same schema. In this situation the issue of privilege propagation usually isn't a problem. In situations where a program unit depends on an external program unit in a different schema, the owner of the external program unit would need to give the other user execute privilege explicitly. Oracle security product management continually reviews enhancement requests submitted by customers. To date there hasn't been broad demand for new security in this area beyond what has been provided via the introduction of the invoker-rights facility. Oracle9i introduced the secure application role and global application context which are designed for proxy architectures. The secure application role restricts enabling a role to a set role command in a named security package. The security package can perform it's own security checks prior to invoking the set role command. ------------------------------------------------------------------------ --------------010500090301040004060903 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit

Good morning,

A few days ago there was a debate about the issue with invoker/definer-stuff. I wrote to Mary Ann Davidson, who's responsible for Oracle security things (she's the female guru you may have seen on the big posters at Oracle World both in Copenhagen and San Francisco). So I forwarded the thread to her, and here's the response from Paul Needham of her team (who by the way was impressed with the knowledge level of the list contributors).

Mogens

The invoker-rights functionality was developed to allow code to be shared across multiple schemas.  The definer-rights functionality sometimes required that the same stored procedure exist in multiple locations, creating maintenance headaches.  The invoker-rights model solves this problem.

Most applications are designed such that the data and application program units reside in the same schema.  In this situation the issue of privilege propagation usually isn't a problem.  In situations where a program unit depends on an external program unit in a different schema, the owner of the external program unit would need to give the other user execute privilege explicitly.

Oracle security product management continually reviews enhancement requests submitted by customers.  To date there hasn't been broad demand for new security in this area beyond what has been provided via the introduction of the invoker-rights facility.  Oracle9i introduced the secure application role and global application context which are designed for proxy architectures.  The secure application role restricts enabling a role to a set role command in a named security package.  The security package can perform it's own security checks prior to invoking the set role command.

--------------010500090301040004060903-- -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: =?ISO-8859-1?Q?Mogens_N=F8rgaard?= INET: mln@miracleas.dk Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).