Re: Removing ALL_ views from users

From: <Mayen.Shah_at_lazard.com>
Date: Tue, 31 Mar 2009 12:10:25 -0400
Message-ID: <OF415ADD34.047890BA-ON8525758A.0058A096-8525758A.0058D85C_at_lazard.com>

I had similar request from auditors. I lost half the battle. Instead of dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When developers complained, I asked them to get approval from auditors...never heard back.

Thanks
Mayen

"Dennis Williams" <oracledba.williams_at_gmail.com>
Sent by: oracle-l-bounce_at_freelists.org Mar 31 2009 12:03 PM
Please respond to
oracledba.williams_at_gmail.com

To
"Andrew Kerber" <andrew.kerber_at_gmail.com>
cc
"oracle-l_at_freelists.org" <oracle-l_at_freelists.org>
Subject
Re: Removing ALL_ views from users

Thanks Andrew,

That was pretty much my first response. Unfortunately this has gone further than that. What I'm asking is:

Has anyone removed access to any of the ALL_ views?

I'm guessing that since the views are PUBLIC, that would need to be revoked first.

Thanks,
Dennis

On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <andrew.kerber_at_gmail.com> wrote:
You are talking to an ignorant auditor who thinks the all views show everything in the database. If he seriously thinks that knowing other usernames is a security risk, go ahead and revoke that one, then explain to him that the all* views actually just show objects that each user has access to, not everything in the database. I ran into this before, and the problem was the guy was trained in accounting, not oracle.

On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams < oracledba.williams_at_gmail.com> wrote:
List,

Some security auditors are stating that the ALL_ views are a security risk and are recommending that I revoke them. In particular, they are pointing to ALL_USERS as offering a hacker useful information. My guess is that the ALL_ views are granted to PUBLIC. Has anyone had this requirement? Has anyone successfully revoked this access?

Dennis

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'



--
http://www.freelists.org/webpage/oracle-l

Received on Tue Mar 31 2009 - 11:10:25 CDT

This message: [ Message body ]
Next message: Greg Rahn: "Re: sane number of the table partitions in DWH"
Previous message: Dennis Williams: "Re: Removing ALL_ views from users"
In reply to: Dennis Williams: "Re: Removing ALL_ views from users"
Next in thread: Dennis Williams: "Re: Removing ALL_ views from users"
Reply: Dennis Williams: "Re: Removing ALL_ views from users"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message