| SELECT_CATALOG_ROLE [message #361493] |
Wed, 26 November 2008 11:30  |
shaseeb
Messages: 113
Registered: April 2007
Location: Madison, WI
|
Senior Member |
|
|
Hi all,
Just wanted some advice about granting developers the SELECT_CATALOG_ROLE. From what I've read and researched it seems like it is not a good idea as it gives them access to SYS schema objects. However, I cannot see any other way around it because my developers need to do schema comparisons from time to time. Even if I were to grant them, say, the SELECT ANY TABLE privilege then they cannot view packages and procedures...they can simply view tables and views. Any suggestions?
Thanks.
|
|
|
|
|
|
|
|
| Re: SELECT_CATALOG_ROLE [message #362702 is a reply to message #361623] |
Wed, 03 December 2008 16:03  |
andrew again
Messages: 2577
Registered: March 2000
|
Senior Member |
|
|
I've worked in orgs where access is open unless there's a good reason not to, as well as orgs where you could no access without approval. The latter often stops developers from adding value where they sometimes can. Most of us have seen apps that mysteriously slow down, only to find out that some index was accidentally dropped or whatever. Having excessive access can also allow damage to be done like cartesian join runaway queries, access to sensitive data, DB link passwds or whatever.
A good solution is to create a clone of select_catalog_role, and remove anything of concern. Grant that custom role to users.
Search Metalink for SELECT_CATALOG_ROLE vulnerabilities
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
