Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: add new user to oracle ??

Re: add new user to oracle ??

From: Daniel Morgan <damorgan_at_x.washington.edu>
Date: Sat, 31 Jan 2004 09:19:14 -0800
Message-ID: <1075569496.659399@yasure> 





Thomas Kellerer wrote:


> Howard J. Rogers schrieb:
> 




>> "Thomas Kellerer" <spam_eater_at_gmx.net> wrote in message

>> news:bveon3$n50$1_at_svr7.m-online.net...

>>

>>> Daniel Morgan schrieb:

>>>

>>>> Do not grant the CONNECT, RESOURCE, OR DBA roles.

>>>

>>>

>>> Why is that?

>>>

>>> If we should not use those roles, why do they exist in the first place?

>>>

>>> Thomas

>>

>>

>>

>> "Connect", for example, includes such juicy grants as create view, create

>> table, alter session, create cluster, create database link... and most

>> people just think they're letting someone connect to their database!!

>>

>> "Resource" is a bit of a vague term, isn't it... such a shame it 

>> happens to

>> also include things like 'create procedure'.

>>

>> Now, you might think that these are not too bad, and therefore you're 

>> quite

>> happy to use them. Trouble is, Oracle is on record as saying that they're

>> deprecated, and that means that at some point in the future, they will

>> abolish them. So if you've set up your users with them in the 

>> meantime, come

>> the day commeth the hour, no-one will be able to do their regular 

>> jobs. So

>> if you really rather like them, at least do the decent thing and create

>> roles which are identical copies of the "bad" ones. Oracle can then do 

>> its

>> worst in terms of abolishing them, and your database functionality 

>> will not

>> be affected.

>>


> 
> Thanks for the detailed answer. Always learning something new...
> 
> I use and maintain databases for development purposes only, and I do 
> have to create views, procedures, database links, table, etc.
> 
> So I gues my usage is OK :-)
> 
> Cheers
> Thomas





Exactly the opposite. Your usage is totally incorrect.



What you should do is the following:



grant create session to <schema_owner>;


grant create view to <schema_owner>;


grant create procedure to <schema_owner>;
grant create database link to <schema_owner>;
grant create table to <schema_owner>;



No value is created by using functionality Oracle says not to use.



You are still granting unnecessary privileges



You are making assumptions as to what CONNECT contains



You have no documentation as to which privileges in CONNECT are actually 
required



I don't know you so don't take this personally ... but using CONNECT 
comes off to me as nothing but lazy and sloppy. Write the few lines of 
code and produce a far better quality of work.


-- 
Daniel Morgan
http://www.outreach.washington.edu/ext/certificates/oad/oad_crs.asp
http://www.outreach.washington.edu/ext/certificates/aoa/aoa_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)


Received on Sat Jan 31 2004 - 11:19:14 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US