RE: OEM permissions

From: <jo_holvoet_at_amis.com>
Date: Fri, 19 Dec 2003 01:54:25 -0800
Message-ID: <F001.005DA564.20031219015425@fatcity.com>

I believe a role 'OEM_MONITOR' is created in 9i when you create a DB; pre-9i you can create it yourself (via catsnmp.sql or something like that) and you can use that instead of granting specific other privileges. Oracle claims that it contains a minimum set of privileges for OEM use, but maybe you can trim it down further for your specific needs. There are several notes on MetaLink about this; e.g. 216731.1.

mvg/regards

DENNIS WILLIAMS <DWILLIAMS_at_lifetouch.com> Sent by: ml-errors_at_fatcity.com
12/18/2003 16:34
Please respond to ORACLE-L

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        RE: OEM permissions

Raj - Thanks for your reply. Were this a consultant, my reply would mirror yours, and maybe not so diplomatically.

But basically I manage these databases on behalf of this manager, so when
he asks for "read-only" access, I can't really refuse. And I think he is pretty competent as a DBA. He says that he prefers to use OEM instead of Toad.

What I'm really asking is what could these grants be used for besides just reading data? If there are other actions that could be done, I could at
least ask him not to perform those actions, so if something bad happens I have provided an alert ahead of time.

For those who use OEM in your environment, does the SELECT_CATALOG_ROLE and SELECT ANY DICTIONARY privileges sound pretty usual for OEM to be able to scout out the info it needs to paint the pretty displays?

Yes, I am checking out how this exposes links and what is available on the other systems the links point to. I have also asked his group not to create any database links. Fortunately we have relatively few links.

Again, thanks for your advice.

Dennis Williams
DBA
Lifetouch, Inc.
dwilliams_at_lifetouch.com

-----Original Message-----
Sent: Thursday, December 18, 2003 7:54 AM To: Multiple recipients of list ORACLE-L

Dennis,

"select any table" has to be a big no no ... anyone can select from sys.link$. But I am still trying how OEM can be used for _development_?? what am I missing? As for

One of our groups hired a new consultant and he (claimed to have DBA background) immediately shot off an email saying he needed "select any table" and "select catalog role" to do his work. We shot off reply "Thanks for your email, while we appreciate your requirements for development, the privileges you are requesting are a tad different than we grant other developers. However we request that you submit a justification for these privileges and tell us how your development would be affected without these
and we will accommodate your request". This was 3 months ago and we _still_
haven't heard back.

Raj

Rajendra dot Jamadagni at nospamespn dot com All Views expressed in this email are strictly personal. QOTD: Any clod can have facts, having an opinion is an art !

-----Original Message-----
Sent: Thursday, December 18, 2003 8:24 AM To: Multiple recipients of list ORACLE-L

We have a new manager that wants his group to use OEM for development access, as an alternative to Toad. He has requested a special Oracle userid
with the following grants:

     SELECT_CATALOG_ROLE
     SELECT ANY DICTIONARY
     SELECT ANY TABLE

Does this seem reasonable for OEM? The manager is responsible for the data in the database, so I don't see a problem with him viewing the data. There are few database links, and I'll be reviewing them. Any ideas on what mischief could occur? Thanks.

This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney
work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you.

**********5
--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Jamadagni, Rajendra
INET: Rajendra.Jamadagni_at_espn.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: DENNIS WILLIAMS
INET: DWILLIAMS_at_LIFETOUCH.COM

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author:
INET: jo_holvoet_at_amis.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------