| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: user with administrative priviledges
On Oct 10, 10:16 am, "frank.van.bor..._at_gmail.com"
<frank.van.bor..._at_gmail.com> wrote:
> fireball schreef:
>
> > Uzytkownik "Frank van Bortel" <frank.van.bor..._at_gmail.com> napisal w
> > wiadomosci
> > > all other work should be done by a normal user
> > would you please mention exact role/grants that means 'normal' user?Whatever that user needs:
> Example:
>
> create user html_dev identified by &&htmldevpsw default tablespace
> &&defts temporary tablespace temp;
>
> grant create session, create table, create procedure, create
> materialized view to html_dev;
> grant create sequence, create any context to html_dev;
> grant create synonym, create public synonym, create type to html_dev;
> grant create view, create trigger to html_dev;
> grant alter session to html_dev;
>
> grant execute on dbms_session to html_dev;
> grant execute on dbms_utility to html_dev;
> grant execute on dbms_application_info to html_dev;
>
> grant select on dba_directories to html_dev;
>
> alter user html_dev quota unlimited on &&defts;
>
> Note: not a single role (connect, resource or dba) is granted!
> This html_dev user needs no more privileges that these mentioned.
> In fact, create any context could be dropped (due to a change
> in design) - and that's another possible security risk - forgetting to
> revoke what's no loger needed... Mea culpa.
Of course I fully agree with you.
However, one must note almost all 3rd party vendors grant connect,
resource, dba to the application owner, and make sure this owner
doesn't have a password.
When you plan to change this they usually threaten to withdraw
support....
This are both US and European vendors.
Guess which company still uses these roles, even in their custom built
software?
Only one guess is allowed.
Actually one would really like a reply on this one by Mark Townsend,
Tom Kyte, or even Larry himself...
As long as Oracle continues to supply these roles (obsoleted in Oracle 6.0), they will never extinguish!!!
-- Sybrand Bakker Senior Oracle DBAReceived on Tue Oct 10 2006 - 04:33:40 CDT
 |
 |