Path: dp-news.maxwell.syr.edu!spool.maxwell.syr.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews.google.com!i3g2000cwc.googlegroups.com!not-for-mail From: "sybrandb" Newsgroups: comp.databases.oracle.server Subject: Re: user with administrative priviledges Date: 10 Oct 2006 02:33:40 -0700 Organization: http://groups.google.com Lines: 57 Message-ID: <1160472820.856046.245150@i3g2000cwc.googlegroups.com> References: <1160423712.481534.145160@h48g2000cwc.googlegroups.com> <1160468204.902401.205950@c28g2000cwb.googlegroups.com> NNTP-Posting-Host: 192.33.238.6 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Trace: posting.google.com 1160472824 1613 127.0.0.1 (10 Oct 2006 09:33:44 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Tue, 10 Oct 2006 09:33:44 +0000 (UTC) In-Reply-To: <1160468204.902401.205950@c28g2000cwb.googlegroups.com> User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1),gzip(gfe),gzip(gfe) X-HTTP-Via: 1.1 PXYBEBR003 Complaints-To: groups-abuse@google.com Injection-Info: i3g2000cwc.googlegroups.com; posting-host=192.33.238.6; posting-account=d8kqXg0AAADvDUR8IdYEU7pAZnZ1O2PC Xref: dp-news.maxwell.syr.edu comp.databases.oracle.server:276901 On Oct 10, 10:16 am, "frank.van.bor...@gmail.com" wrote: > fireball schreef: > > > Uzytkownik "Frank van Bortel" napisal w > > wiadomosci > > > all other work should be done by a normal user > > would you please mention exact role/grants that means 'normal' user?Whatever that user needs: > Example: > > create user html_dev identified by &&htmldevpsw default tablespace > &&defts temporary tablespace temp; > > grant create session, create table, create procedure, create > materialized view to html_dev; > grant create sequence, create any context to html_dev; > grant create synonym, create public synonym, create type to html_dev; > grant create view, create trigger to html_dev; > grant alter session to html_dev; > > grant execute on dbms_session to html_dev; > grant execute on dbms_utility to html_dev; > grant execute on dbms_application_info to html_dev; > > grant select on dba_directories to html_dev; > > alter user html_dev quota unlimited on &&defts; > > Note: not a single role (connect, resource or dba) is granted! > This html_dev user needs no more privileges that these mentioned. > In fact, create any context could be dropped (due to a change > in design) - and that's another possible security risk - forgetting to > revoke what's no loger needed... Mea culpa. Of course I fully agree with you. However, one must note almost all 3rd party vendors grant connect, resource, dba to the application owner, and make sure this owner doesn't have a password. When you plan to change this they usually threaten to withdraw support.... This are both US and European vendors. Guess which company still uses these roles, even in their custom built software? Only one guess is allowed. Actually one would really like a reply on this one by Mark Townsend, Tom Kyte, or even Larry himself... As long as Oracle continues to supply these roles (obsoleted in Oracle 6.0), they will never extinguish!!! -- Sybrand Bakker Senior Oracle DBA