Re: Minimum peivalage to let user see all session information

On May 16, 9:05 am, fitzjarr..._at_cox.net wrote:
> On May 15, 6:18 pm, "Sam" <ysa..._at_yahoo.com> wrote:
>
> > Hi There,
> > What is the minimum privilege that I can give a user to be able to see(Just
> > select) all session information,
> > without seeing other users/schemas objects?
> > I tried:
> > SELECT_CATALOG_ROLE
> > also
> > GRANT SELECT ANY DICTIONARY
>
> > both of them worked but they alsso let them to see other Schema/Users
> > objects like table name even structure of tables and procedures,
> > How can I limit them to not seeing "other schema information" but see just
> > Session information,
>
> > Thank you in advance
>
> Were you not relying upon the 'lazy man's way' of doing this you'd
> have realised granting select on sys.v_$session would do what you ask.
>
> David Fitzjarrell

Warning - there are known security risks with granting the SELECT_CATALOG_ROLE and GRANT SELECT ANY DICTIONARY privileges. In general you should not grant any of the ANY privileges without a definite business case.

David pointed out the object that user SYS can issue grants on. You probably want to create a ROLE and grant it several of the dynamic performance views for use by developers to monitor Oracle sessions, processes, and locks.

grant select on v_$xxxxxxxx where x is the name that follows v$ as in v $session, v$process, v$lock, v$sql_text.

HTH -- Mark D Powell -- Received on Wed May 16 2007 - 10:05:33 CDT