Re: CREATE DATABASE LINK privilege discussion

From: Subodh Deshpande <deshpande.subodh_at_gmail.com>
Date: Tue, 1 Nov 2011 00:10:38 +0530
Message-ID: <CAJsOtB5=nGX1ezf44v0g5XCtacP0_6VQ2bqCcX4-_hRDTV=_gQ_at_mail.gmail.com>



hello Chiris,
developer should not be given unnecessary access, privileges..referring production objects from development boxes and vice versa is bad practice..if tomorrow such referred object is changed/dropped your code or application will be failed..or if user access privs are changed it will create problems.avoid such things..

why the developer wants access to production, when development is going on..this comes to my mind...
you should, give production data copy so that code on development can be tested..and this is sufficient..
if the testcases are in place you do not require such privilege..you require data to test..

if at all he/she is extremely pushy/touchy (do not know.whether bulley a proper word..) give only select access on all the objects related to production
if you have toad or some tool, give only create database link privilege to a user and check, it gives other sensitive access, privileges to the users..show it to your manager and ask him/her who is going to take the responsibility of production data..

dba has to take some harsh descision and yes he suddenly become a guy who is hard to work with..ignore it..stick to it..if it is required.. thanks and take care..subodh

On 29 October 2011 20:50, Taylor, Chris David < ChrisDavid.Taylor_at_ingrambarge.com> wrote:

> I am curious how many of you grant your developers the 'CREATE DATABASE
> LINK' privilege in 10g or higher?
> We have a production read-only account that is setup to provide support
> for troubleshooting production support issues and one of my developers (out
> of approximately 20 devs) created a database link from a development
> database to production for his application.
>
> Now, this is fast becoming an issue and he keeps complaining that he needs
> that privilege and that he should be able to create as many database links
> as he wants - wherever he wants (for those environments he has access to
> including the production support ID).
>
> We (as an organization) have been sloppy in the past in granting 'CREATE
> DATABASE LINK' but thankfully we have developers who normally understand
> that you shouldn't use it to create links to a production support id for
> app dev.
>
> So how do you handle it? Is there a good document on what privs app devs
> should 'typically' have? A good industry standards doc or some such?
>
> Thanks,
>
> Chris Taylor
> Sr. Oracle DBA
> Ingram Barge Company
> Nashville, TN 37205
>
> "Quality is never an accident; it is always the result of intelligent
> effort."
> -- John Ruskin (English Writer 1819-1900)
>
> CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
> and may also be privileged. If you are not the named recipient, please
> notify the sender immediately and delete the contents of this message
> without disclosing the contents to anyone, using them for any purpose, or
> storing or copying the information on any medium.
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
=============================================
TRUTH WINS AT LAST, DO NOT FORGET TO SMILE TODAY
=============================================


--
http://www.freelists.org/webpage/oracle-l
Received on Mon Oct 31 2011 - 13:40:38 CDT

Original text of this message