From oracle-l-bounce@freelists.org Tue Aug 17 10:38:15 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i7HFcFF17399 for ; Tue, 17 Aug 2004 10:38:15 -0500 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i7HFcFI17391 for ; Tue, 17 Aug 2004 10:38:15 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 7665672D1B9; Tue, 17 Aug 2004 10:43:21 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20256-83; Tue, 17 Aug 2004 10:43:21 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id BA1DD72D1C6; Tue, 17 Aug 2004 10:43:20 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Tue, 17 Aug 2004 10:41:51 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 897AA72CAA2 for ; Tue, 17 Aug 2004 10:41:50 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21518-12 for ; Tue, 17 Aug 2004 10:41:50 -0500 (EST) Received: from ext-ch1gw-3.online-age.net (ext-ch1gw-3.online-age.net [216.34.191.37]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 2EE3D72D052 for ; Tue, 17 Aug 2004 10:41:50 -0500 (EST) Received: from int-ch1gw-2.online-age.net (int-ch1gw-2 [3.159.232.66]) by ext-ch1gw-3.online-age.net (8.12.9/8.12.9/990426-RLH) with ESMTP id i7HFgRT6005654 for ; Tue, 17 Aug 2004 11:42:28 -0400 (EDT) Received: from cinmlef03.e2k.ad.ge.com (localhost [127.0.0.1]) by int-ch1gw-2.online-age.net (8.12.9/8.12.3/990426-RLH) with ESMTP id i7HFgQ7C015771 for ; Tue, 17 Aug 2004 11:42:27 -0400 (EDT) Received: from CINMLVEM05.e2k.ad.ge.com ([3.159.213.73]) by cinmlef03.e2k.ad.ge.com with Microsoft SMTPSVC(5.0.2195.6673); Tue, 17 Aug 2004 11:42:27 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.0.6562.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: RE: Using TOAD on production databases Date: Tue, 17 Aug 2004 11:42:10 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Using TOAD on production databases Thread-Index: AcSEXrSAgpXarkTQQcWGEkS+a/msUQAEapzw From: "Aragon, Gabriel (GE Commercial Finance)" To: X-OriginalArrivalTime: 17 Aug 2004 15:42:27.0486 (UTC) FILETIME=[CC785BE0:01C48470] X-Virus-Scanned: by amavisd-new at freelists.org X-archive-position: 7764 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: gabriel.aragon@ge.com Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l X-Virus-Scanned: by amavisd-new at freelists.org You dont need to worry about giving developers many privs, a rookie = programmer can make a lot of damage with an inocent select. =3D) Also, I remember in previous oracle version (7.3 AFAIR) this instruction = provoked an immediate shutdown in NT: to_number(char_column) --if the char_column had a no numeric value..=20 GAP -----Original Message----- From: oracle-l-bounce@freelists.org [mailto:oracle-l-bounce@freelists.org]On Behalf Of Mercadante, Thomas F Sent: Martes, 17 de Agosto de 2004 08:33 a.m. To: 'oracle-l@freelists.org' Subject: RE: Using TOAD on production databases Venu, Toad gives them nothing more than SqlPLus gives them. You are perfectly = ok. Our developers have read-only accounts in our production database. They = can use *any freekin tool* they want to use. I do not base security based = on the tool - but based on Oracle roles. You *cannot* base your database security based on a tool if the user is given an Oracle account. They = can simply log-on with a thousand other tools. Using Oracle roles and grants is the only way to guarantee database security. Hope this helps. Tom Mercadante Oracle Certified Professional -----Original Message----- From: Potluri, Venu (IDS AIS SE) [mailto:venu_potluri@ml.com]=20 Sent: Monday, August 16, 2004 8:07 PM To: oracle-l@freelists.org Subject: RE: Using TOAD on production databases The only system privilege my developers have is create session. PERIOD. Nobody gets anything else. We do grant roles that give SELECT access to some tables. We don't grant = any insert, update, delete privileges to any roles. So, lets say the developer has valid reason to access production data = and has SELECT privilege on some tables, what exactly does TOAD give this developer above and beyond what I give him as a DBA? -----Original Message----- From: oracle-l-bounce@freelists.org = [mailto:oracle-l-bounce@freelists.org] On Behalf Of Raj Jamadagni Sent: Monday, August 16, 2004 6:29 PM To: oracle-l@freelists.org Subject: Re: Using TOAD on production databases There are many words in your first statement that are an security = auditor's dream. I bet Pete F. is using mapquest to find fastest route to your = office right now. So, let me get this straight, ON PRODUCTION database you are worried = that developers accessing SYS/SYSTEM objects so you will block them. Great. = But you don't have a problem if they acces production data?? Sarbanes-Oxley = ... and I think you work for a BIG financial company right??=3D20 Developers shouldn't be connecting to production database without a = valid reason ... period. And no metter which site writes what, the only way to incorporate security is to use TOAD security.=3D20 RTFM the TOAD stuff, = it is all explained there. BTW don't give me any roles but grant me 'execute any procedure' and = give me 2 minutes, I'll probably be able to revoke all your roles ... least I'll grant myself DBA role ... Raj --- "Potluri, Venu (IDS AIS SE)" wrote: > Is there any problem with developers using Quest Software's TOAD on=20 > production databases? Regardless of the functionality in TOAD, a=20 > developer shouldn't be able to use the DBA functionality in TOAD,=20 > correct? We grant roles to developers and those roles never include any > privilesges on SYSTEM or SYS owned objects. What made me ask this =20 >question is a script on www.orafaq.com that shows a way to prevent =20 >developers from using TOAD on production databases. Any thoughts are =20 >appreciated. =3D20 > Venu Potluri > Oracle Financials DBA=3D20 > -------------------------------------------------------- > =3D20 > If you are not an intended recipient of this e-mail, please notify the sender, delete it and do > not read, act upon, print, disclose, copy, retain or redistribute it. Click here for important > additional terms relating to this e-mail. http://www.ml.com/email_terms/=3D20 > -------------------------------------------------------- > =3D20 >=3D20 > ---------------------------------------------------------------- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > ---------------------------------------------------------------- > To unsubscribe send email to: oracle-l-request@freelists.org put=20 >'unsubscribe' in the subject line. > -- > Archives are at http://www.freelists.org/archives/oracle-l/ > FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html > ----------------------------------------------------------------- >=3D20 =3D3D=3D3D=3D3D=3D3D=3D3D Best Regards Raj --------------------------------------------------------- select mandatory_disclaimer from company_requirements; =3D09 __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail=3D20 ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------=3D20 -------------------------------------------------------- =3D20 If you are not an intended recipient of this e-mail, please notify the = =3D sender, delete it and do not read, act upon, print, disclose, copy, =3D = retain or redistribute it. Click here for important additional terms =3D relating to this e-mail. http://www.ml.com/email_terms/=3D20 -------------------------------------------------------- =3D20 ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------