Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: OEM permissions
Dennis,
I think you are probably ok with this. But the best way to do this is to create an Oracle account, grant what he asks, and start OEM using that account. Try and change things and see what happens. Then you will know for sure what the impact is.
Good Luck!
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Thursday, December 18, 2003 10:35 AM
To: Multiple recipients of list ORACLE-L
Raj - Thanks for your reply. Were this a consultant, my reply would mirror yours, and maybe not so diplomatically.
But basically I manage these databases on behalf of this manager, so when he asks for "read-only" access, I can't really refuse. And I think he is pretty competent as a DBA. He says that he prefers to use OEM instead of Toad.
What I'm really asking is what could these grants be used for besides just reading data? If there are other actions that could be done, I could at least ask him not to perform those actions, so if something bad happens I have provided an alert ahead of time.
For those who use OEM in your environment, does the SELECT_CATALOG_ROLE and SELECT ANY DICTIONARY privileges sound pretty usual for OEM to be able to scout out the info it needs to paint the pretty displays?
Yes, I am checking out how this exposes links and what is available on the other systems the links point to. I have also asked his group not to create any database links. Fortunately we have relatively few links.
Again, thanks for your advice.
Dennis Williams
DBA
Lifetouch, Inc.
dwilliams_at_lifetouch.com
-----Original Message-----
Sent: Thursday, December 18, 2003 7:54 AM
To: Multiple recipients of list ORACLE-L
Dennis,
"select any table" has to be a big no no ... anyone can select from sys.link$. But I am still trying how OEM can be used for _development_?? what am I missing? As for
One of our groups hired a new consultant and he (claimed to have DBA background) immediately shot off an email saying he needed "select any table" and "select catalog role" to do his work. We shot off reply "Thanks for your email, while we appreciate your requirements for development, the privileges you are requesting are a tad different than we grant other developers. However we request that you submit a justification for these privileges and tell us how your development would be affected without these and we will accommodate your request". This was 3 months ago and we _still_ haven't heard back.
Raj
-----Original Message-----
Sent: Thursday, December 18, 2003 8:24 AM
To: Multiple recipients of list ORACLE-L
We have a new manager that wants his group to use OEM for development access, as an alternative to Toad. He has requested a special Oracle userid with the following grants:
SELECT_CATALOG_ROLE SELECT ANY DICTIONARY SELECT ANY TABLE
Does this seem reasonable for OEM? The manager is responsible for the data in the database, so I don't see a problem with him viewing the data. There are few database links, and I'll be reviewing them. Any ideas on what mischief could occur? Thanks.
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services ---------------------------------------------------------------------To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Dec 18 2003 - 10:14:26 CST