Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Does Oracle Have Anything Similar to SqlServer "Deny" Attribute?

Re: Does Oracle Have Anything Similar to SqlServer "Deny" Attribute?

From: Jared Still <jkstill_at_gmail.com>
Date: Thu, 19 Apr 2007 09:59:36 -0700
Message-ID: <bf46380704190959h28b5a2f3r2f8b82dd92624a0e@mail.gmail.com> 





On 4/19/07, Sam Bootsma <sbootsma_at_georgebrown.ca> wrote:


>

>  I have recently read the paper "Microsoft SQL Server 2005 for the Oracle

> Professional", and on page 16 of this document it says that "Deny places an

> explicit blocker on a securable … and always takes precedence over all other

> permissions".  A securable can be a table.  Currently our Developers have

> "select any table" privilege, but I have recently been asked to remove

> access from payroll tables.  I can do this via roles, but in our

> environment, there remain lots of ramifications to this.  If there was

> something comparable to the "Deny" that Sql Server has, it would greatly

> simply this task.

>




The fact that I am not aware of anything like that in Oracle, doesn't
mean it doesn't exist. There have been a lot of new security features
in Oracle that I haven't explored, but I don't believe there is an explicit
DDL for this.



More to the point, the DENY thing in SQL Server sounds like a
workaround to me.  It's the whitelist vs. blacklist approach to
security, and the DENY is a workaround for the blacklist.
(give all privileges and deny the ones folks should not have)



A whitelist is much more secure.  It is also more work.


-- 
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--
http://www.freelists.org/webpage/oracle-l


Received on Thu Apr 19 2007 - 11:59:36 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US