Oracle and Security

Message-Id: <10508.106676@fatcity.com> From: Bruce Page Date: Thu, 25 May 2000 09:03:56 -0500 Subject: Oracle and Security This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BFC652.251C0738 Content-Type: text/plain; charset="iso-8859-1" We have a security group that has been given the responsibility to create and drop user ids. The deal was that they created the user ids and then it was up to the business units to grant the privileges to the user ids. All the security group did was create and drop. We granted their desire by creating a role for them and granting them the limited security access they needed to get their job done. The security role here is not much more than an administrator position. Their management has said that they do not have to know the technologies all they have to do is security for them. The business unit I work for has a high regard for security and does not want to give people accesses that are beyond their ability. Since security does not want to know Oracle, it was decided that they should not have access to root or oracle at the Unix level and should not have access to sys, system, or DBA in Oracle. Now the security group is wanting the ability to remove all roles and privileges that would allow someone access to the database. So, that would mean that they now want the ability to revoke the DBA role. The only way, at least 7.3.4, allows someone to revoke or grant DBA is if the user id doing the granting or revoking has DBA. I am considering writing a procedure that would be owned by system that would revoke DBA from a user id and then granting execute on it to the security role. Has anyone tried this? Anyone see any problems with this approach? Bruce Page Oracle DBA Kimball international Jasper, In 47549 ------_=_NextPart_001_01BFC652.251C0738 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Oracle and Security

We have a security group that has been = given the responsibility to create and drop user ids.

The deal was that they created the = user ids and then it was up to the business units to grant the = privileges to the user ids. All the security group did was create = and drop.

We granted their desire by creating a = role for them and granting them the limited security access they needed = to get their job done. The security role here is not much more = than an administrator position. Their management has said that = they do not have to know the technologies all they have to do is = security for them. The business unit I work for has a high regard = for security and does not want to give people accesses that are beyond = their ability. Since security does not want to know Oracle, it = was decided that they should not have access to root or oracle at the = Unix level and should not have access to sys, system, or DBA in = Oracle.

Now the security group is wanting the = ability to remove all roles and privileges that would allow someone = access to the database. So, that would mean that they now want = the ability to revoke the DBA role. The only way, at least 7.3.4, = allows someone to revoke or grant DBA is if the user id doing the = granting or revoking has DBA.

I am considering writing a procedure = that would be owned by system that would revoke DBA from a user id and = then granting execute on it to the security role. Has anyone = tried this? Anyone see any problems with this = approach?

Bruce Page
Oracle DBA
Kimball international
Jasper, In 47549