Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: OEM permissions

RE: OEM permissions

From: <Stephen.Lee_at_DTAG.Com>
Date: Fri, 19 Dec 2003 10:49:25 -0800
Message-ID: <F001.005DA72F.20031219104925@fatcity.com> 






Maybe I'm a being a bit touchy here; but it seems that my comments about
having access to dba_users went completely unnoticed.  Let's put it this
way: There is NO WAY you can prevent somebody from setting up their own
private oracle instance.  It they have access to dba_users in your database,
they can create the SAME users with the SAME passwords in their private
database.  And they can create database links in their private database.



Now, is this a problem?



> -----Original Message-----

> From: Michael Thomas [mailto:mhthomas_at_yahoo.com]

> Sent: Friday, December 19, 2003 12:34 PM

> To: Multiple recipients of list ORACLE-L

> Subject: RE: OEM permissions

> 

> 

> A possibly related question:

> I'm curious if everyone allows your developers to see

> V$SQL... views?  If not, then ... whatever ... no

> comment.

> 

> I'm disappointed with some perspectives in these

> threads regarding developers. Rather than close doors,

> why not use 'development' instances, and role based

> privs on the 'production' instance and grant the

> access required to the developers. E.g. Help them

> determine which Data Dictionary tables support their

> development?

> 

> Good luck.

> 

> --- Yong Huang <yong321_at_yahoo.com> wrote:

> > Hi, Raj,

> > 

> > 9i doesn't allow a user with select any table

> > privilege to view any object

> > owned by SYS. So the sys.link$ risk is gone. But

> > select any dictionary, a new

> > privilege in 9i, allows that. In practice, I always

> > grant select_catalog_role

> > to any developer, but refrain from granting select

> > any dictionary or select any

> > table. As DBAs, we should encourage developers to

> > make full use of data

> > dictionary views and open the database to them as

> > much as they can study it. I

> > would help the consultant in your case instead of

> > just throw back a "NO" to

> > him.

> > 

> > Yong Huang

> > 

> > Jamadagni, Rajendra wrote:

> > 

> > Dennis,

> > 

> > "select any table" has to be a big no no ... anyone

> > can select from sys.link$.

> > But I am still trying how OEM can be used for

> > _development_?? what am I

> > missing? As for ...

> > One of our groups hired a new consultant and he

> > (claimed to have DBA

> > background) immediately shot off an email saying he

> > needed "select any table"

> > and "select catalog role" to do his work. We shot

> > off reply "Thanks for your

> > email, while we appreciate your requirements for

> > development, the privileges

> > you are requesting are a tad different than we grant

> > other developers. However

> > we request that you submit a justification for these

> > privileges and tell us how

> > your development would be affected without these and

> > we will accommodate your

> > request". This was 3 months ago and we _still_

> > haven't heard back.

> > 

> > __________________________________

> > Do you Yahoo!?

> > New Yahoo! Photos - easier uploading and sharing.

> > http://photos.yahoo.com/

> > -- 

> > Please see the official ORACLE-L FAQ:

> > http://www.orafaq.net

> > -- 

> > Author: Yong Huang

> >   INET: yong321_at_yahoo.com

> > 

> > Fat City Network Services    -- 858-538-5051

> > http://www.fatcity.com

> > San Diego, California        -- Mailing list and web

> > hosting services

> >

> ---------------------------------------------------------------------

> > To REMOVE yourself from this mailing list, send an

> > E-Mail message

> > to: ListGuru_at_fatcity.com (note EXACT spelling of

> > 'ListGuru') and in

> > the message BODY, include a line containing: UNSUB

> > ORACLE-L


> > (or the name of mailing list you want to be removed

> > from).  You may

> > also send the HELP command for other information

> > (like subscribing).

> 

> 

> __________________________________

> Do you Yahoo!?

> Protect your identity with Yahoo! Mail AddressGuard

> http://antispam.yahoo.com/whatsnewfree

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Michael Thomas

>   INET: mhthomas_at_yahoo.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: <Stephen.Lee_at_DTAG.Com
  INET: Stephen.Lee_at_DTAG.Com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Dec 19 2003 - 12:49:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US