Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Deadly sins againts database performance/scalability

Re: Deadly sins againts database performance/scalability

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sat, 06 Dec 2003 07:59:34 -0800
Message-ID: <1070726409.407144@yasure> 





Galen Boyer wrote:



> On 5 Dec 2003, drak0nian_at_yahoo.com wrote:

> 

> 


>>the problem with granting an app_owner schema the role DBA is
>>that then the application is coded depending upon the DBA role
>>(and usually, all of the sys_privs that are in that role, that
>>the account invariably grants itself directly). it is such a
>>PITA to get changes made to remove queries that hit the dba_
>>views (such as dba_cons_columns for RI errors). If the
>>developers can't code against the dba_% views, but are limited
>>to the all_ views, you don't have as many issues when the code
>>runs on a qa db where the app owner account does not have the
>>DBA role granted to it.




> 

> 

> You are missing my point.  I never want the user that the

> application will log in as to have anything but the priviledges

> that will be granted to it in public.  What I want is a user that

> has dba priviledges (or a form thereof) that can be used by me

> and the development crew for the sole purpose of modifying the

> database for developing the app.  I, most definitely, want to

> hamper the application schema exactly as I plan to in production.

> 




What Paul Drake and so many others miss is that the security policy of a 
company should be a written document. And the security rights and 
priviileges of an application should be part of a written specification.



If developers are required to create or modify applications based on 
those two documents then no application they create or modify can 
possibly violate the agreed security policies and specifications.



The only thing the developers could possibly do is make their jobs a bit 
easier. Little things like looking up reserved words, checking to make 
sure that all of their dynamic SQL is using bind variables, looking at 
the numbers of hard and soft parses: In short all of the things Tom Kyte 
does on his asktom website to demonstrate that things are working as 
they should.



The sad fact is, and since I don't know you Paul I'm not pointing at you 
so don't take this personally, the DBAs that are most paranoid about 
giving developers privileges in development environments, are the DBAs 
that know the least about development: The ones that can't actually 
write and debug PL/SQL.


-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Sat Dec 06 2003 - 09:59:34 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US