Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Creating a 'helpdesk' user

Re: Creating a 'helpdesk' user

From: Vikas Agnihotri <fornewsgroups_at_vikas.mailshell.com>
Date: 17 Aug 2001 07:02:54 -0700
Message-ID: <902027f8.0108170602.477f40e4@posting.google.com> 





postbus_at_sybrandb.demon.nl (Sybrand Bakker) wrote in message news:<a20d28ee.0108160051.7f87a05_at_posting.google.com>...


> fornewsgroups_at_vikas.mailshell.com (Vikas Agnihotri) wrote in message news:<902027f8.0108151213.7b50b877_at_posting.google.com>...

> > This is working fine. But few problems:

> > 

> > 1. They cannot grant 'create table' to a new user they create. To do

> > this, I would need to 'grant create table to helpdesk WITH ADMIN

> > OPTION'. I dont want to do this because I dont want HELPDESK to create

> > tables.

> > 

> > Is there a way to grant just the admin option part i.e. allow them to

> > grant CREATE TABLE to others but not be able to create tables

> > themselves.

> > 

> > 2. The main and (surprising) problem with the above is this:

> > 

> > Even though HELPDESK is a non-DBA user created expressly for user

> > creation, HELPDESK can create a new user and grant DBA to the user and

> > thus have a DBA access to the database!

> > 

> > This seems silly. What am I missing? How can it be so easy to subvert

> > Oracle's security? Oracle's GRANT ANY ROLE system privilege should

> > have the intelligence to not grant DBA. Otherwise, whats the point of

> > this system privilege? Granting it to anyone is akin to giving them

> > DBA access.

> > 

> > Anyway, lets take it one step back. Maybe I need to re-think my whole

> > appproach.

> > 

> > Does anyone have any ideas on how to accomplish what I want? i.e.

> > create a helpdesk user to create new users, modify them, grant

> > *application* roles to them (defined by us)?

> > 

> > Thanks

> 

> 

> DBA is *not* a system privilege, it is a *role* since 7.0




Yes, I know. Does anything I wrote above imply that I am not aware of
this?



Please read my post carefully. DBA being a role and not a system
privilege has nothing to do with this.



Ah..you must be referring to my statement above "Oracle's GRANT ANY
ROLE system privilege should have the intelligence to not grant DBA.
Otherwise, whats the point of this system privilege?"



My "whats the point of" refers to the GRANT ANY ROLE system privilege
and not the DBA *role. I thought it was pretty clear from the context
of the 2 sentences.



My question still stands.



How can I create a 'helpdesk' user to create user users, modify them,
grant application roles to them (Defined by us)?



I thought that the GRANT ANY ROLE *system privilege* would be perfect
for this.



But as I found out, this gives HELPDESK the ability to create a new
user, GRANT the DBA *role* to the user and bingo, get dba access to
the database! How to prevent this?



> Please read your docs before you start shouting.




Obviously, you just took a quick glance at my post and fired off your
usual caustic response. You seem to do this with many of my posts.
What do you have against me anyway? If you do not want to help me,
just dont post anything.
Received on Fri Aug 17 2001 - 09:02:54 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US