RE: auto grant select

From: Baumgartel, Paul <paul.baumgartel_at_credit-suisse.com>
Date: Wed, 29 Nov 2006 20:47:31 -0000
Message-ID: <D97D1FAE0521BD44820B920EDAB3BBAC1663B92F@ENYC11P32005.corpny.csfb.com>

I'm surprised to hear an experienced DBA say this.

Here are a couple of (OK, three) good reasons:

--The principle of least privilege says "grant only what is necessary to get the job done".
--In many shops, there are security standards that forbid granting "select any table" to non-DBA accounts, and doing so raises a violation (this is the case where I work, for example).
--Everyone who has access to the u2 account may not be authorized to see all data in the database.

Paul Baumgartel
CREDIT SUISSE
Information Technology
DBA & Admin - NY, KIGA 1
11 Madison Avenue
New York, NY 10010
USA
Phone 212.538.1143
paul.baumgartel_at_credit-suisse.com
www.credit-suisse.com

-----Original Message-----

From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org]On Behalf Of bill thater Sent: Wednesday, November 29, 2006 3:37 PM To: kevin.lidh_at_gmail.com
Cc: toth.istvan_at_gmx.net; oracle-l_at_freelists.org Subject: Re: auto grant select

am i missing something here? why can't you just grant slect any table to u2?

--
--

Bill "Shrek" Thater     ORACLE DBA
       shrekdba_at_gmail.com


------------------------------------------------------------------------

All the girls say
Save a horse, ride a cowboy
--

http://www.freelists.org/webpage/oracle-l

---

Please access the attached hyperlink for an important electronic communications disclaimer:

http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html

---

--

http://www.freelists.org/webpage/oracle-l Received on Wed Nov 29 2006 - 14:47:31 CST