RE: Revoke Delete

From: Jack C. Applewhite <japplewhite_at_inetprofit.com>
Date: Tue, 27 Nov 2001 15:22:36 -0800
Message-ID: <F001.003CE42F.20011127145518@fatcity.com>

Actually, you can. Use FGAC (Fine-Grained Access Control) and you can put a Policy in place on a table that even the table owner can't bypass - even System can't bypass. Only Sys can bypass FGAC policies - and the owner of the security schema in which you place the Policy functions.

I've used FGAC and Application Context successfully to enforce complex security, but the more I think about it, you could really do some fiendish tricks with it - if you were the fiendish kind. ;-)

Jack

---

Jack C. Applewhite
Database Administrator/Developer
OCP Oracle8 DBA
iNetProfit, Inc.
Austin, Texas
www.iNetProfit.com
japplewhite_at_inetprofit.com
(512)327-9068

-----Original Message-----
Baumgartel
Sent: Tuesday, November 27, 2001 3:55 PM To: Multiple recipients of list ORACLE-L

You can't revoke the ability to delete from the schema owner. You could revoke CREATE SESSION from the schema owner, but that doesn't solve the problem of DBA-privileged accounts being able to delete.

I'm guessing that this is a perfect opportunity to use an "INSTEAD OF" trigger.

• Aldi Barco <ipal_at_hotmail.com> wrote:
  > Hi Listers,
  >
  > How can we revoke 'delete privilege' from the schema owner of the
  > table and
  > also from DBA ?
  > If it is not possible, can we set through trigger ?
  > Thanks.
  >
  > Aldi
  >
  > _________________________________________________________________
  > Get your FREE download of MSN Explorer at
  > http://explorer.msn.com/intl.asp
  >
  > --
  > Please see the official ORACLE-L FAQ: http://www.orafaq.com
  > --
  > Author: Aldi Barco
  > INET: ipal_at_hotmail.com
  >
  > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
  > San Diego, California -- Public Internet access / Mailing
  > Lists
  > --------------------------------------------------------------------
  > To REMOVE yourself from this mailing list, send an E-Mail message
  > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
  > the message BODY, include a line containing: UNSUB ORACLE-L
  > (or the name of mailing list you want to be removed from). You may
  > also send the HELP command for other information (like subscribing).
  

  ---

Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Paul Baumgartel
  INET: treegarden_at_yahoo.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jack C. Applewhite
  INET: japplewhite_at_inetprofit.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Received on Tue Nov 27 2001 - 17:22:36 CST