We use a fairly boring - but effective - combination of app_supp and
dba_supp roles and user based profiles (that are likewise generic). The
profiles limit the standard things like idle time, lios, cpu usage and
what not. Took a wee bit of effort to get them right (the settings that
is) - but they do work. We've also provided the Ops dbas a simple API
to set tracing for a support session upon login (just sets a 10046 trace
to capture SQL). Nothing fancy, but helped in jumping a couple of
security hurdles.
HTH
>
>
> > Tanel Poder <tanel.poder.003_at_mail.ee> wrote:
> >
> > Well someone malicious could cause some library cache latch contention
>
> > by
> > running PL/SQL or nested loop joins against unindexed columns of V$SQL
>
> > or
> > V$SQL_SHARED_MEMORY.
> >
> > So you'd need to:
> >
> > 1) work out which views would actually be needed for production
> support
> > 2) distinguish which views are dangerous and which are not and create
> > the
> > roles based on that
> > 3) give respective roles to the users based on how much you trust them
>
> > ;)
> >
> > Tanel.
> >
--
http://www.freelists.org/webpage/oracle-l
Received on Sun Sep 03 2006 - 22:46:36 CDT
