Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: authid definer

Re: authid definer

From: Jared Still <jkstill_at_cybcon.com>
Date: Fri, 29 Jun 2001 07:19:26 -0700
Message-ID: <F001.0033D74A.20010629071123@fatcity.com> 







Mark,



If I understand this message, you believe that the users
of the procedures need direct table grants to use the packages.



If so, that is incorrect.  Only the owner of the procedures needs
the direct grants.  The users of the procedures only need execute
privileges on the procedures.



A good security option for systems making heavy use of PL/SQL
requires three schemas.



One for the table owner.


One for the code owner.


One for users.



Table owner grants direct privs on objects to code owner.



Code owner grants execute privs to user(s).



User(s) have no table privileges in a systems that is 
completely API based, or have table privileges only on
needed objects, and that through a role.



Tom Cox wrote a paper on this:



        http://www.geocities.com/tbcox23/three_schema_security.doc



Jared




On Thursday 28 June 2001 04:04, Mark Teehan wrote:


> One of our app development teams started out with lots of pl/sql and

> role based security, and found that roles are useless cause you have to

> grant the table level privs anyway to get the procedures to work.

>

> We are considering switching to Authid Definer for several reasons:

> - Roles need only contain execute privs for the procedures (no table

> level grants required)

> - private synonyms not needed anymore (all objects are resolved in the

> definers schema)

> - No need for  table level GRANTs any more (cause all procedures/funcs

> run as the table/proc owner)

> Sounds too good to be true. Any gotchas to switching to authid Definer?

> Is this the preferred direction for app development, rather than the

> role/table grants nightmare?

>

> Rgds

> Mark Teehan

> Singapore

>

> ---------------------------- ERG Group --------------------------

>  The contents of this email and any attachments are confidential

>  and may only be read by the intended recipient.

> -----------------------------------------------------------------


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Fri Jun 29 2001 - 09:19:26 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US