RE: Default user permissions

From: Don Granaman <DonGranaman_at_solutionary.com>
Date: Tue, 8 Nov 2011 12:32:46 -0600
Message-ID: <FD98CB0EE75EEA438CAF4DA2E6071C420EAD4F8EA9_at_MAIL.solutionary.com>

Correct. I was a bit sloppy and should have omitted the second sentence.

-----Original Message-----
From: Pete Finnigan [mailto:pete_at_petefinnigan.com] Sent: Tuesday, November 08, 2011 12:08 PM To: Don Granaman
Cc: Leo.Drobnis_at_dealertrack.com; Stephane Faroult; ORACLE-L Subject: Re: Default user permissions

But Don, as you can see in my post the ability to drop is not connected to the ability to create. I created a table in my test schema as system but i could drop it as my user; its a subtle difference as there is no record that SYSTEM created it other than mining or audit if enabled but its still a difference.

cheers

Pete

Don Granaman wrote:
> Yes. If he can create them, he can drop them. There is no simple declarative way to restrict a user's privilege on his own objects.
>
>
> Don Granaman | Phone: 402-361-3073 | Cell: 402-960-6955 | Fax: 402-361-3173 | Solutionary | Relevant . Intelligent . Security
>
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Leo Drobnis
> Sent: Tuesday, November 08, 2011 10:33 AM
> To: Stephane Faroult
> Cc: ORACLE-L
> Subject: RE: Default user permissions
>
> No difference.
>
>
> On the other hand, can a user drop tables in his own schema without the
> drop table privilege?
>
>
>
> ________________________________
>
> From: Stephane Faroult [mailto:sfaroult_at_roughsea.com]
> Sent: Tuesday, November 08, 2011 11:09 AM
> To: Leo Drobnis
> Cc: ORACLE-L
> Subject: Re: Default user permissions
>
>
>
> It comes from role CONNECT, and the reason is compatibility with Oracle
> 5, when CONNECT was a privilege and not a role (roles and privileges
> were introduced with Oracle 6).
> Actually, it comes from the combination of CONNECT (which grants CREATE
> TABLE) with the unlimited quota (which gives the "physical possibility"
> of using the system privilege).
> Grant CREATE SESSION instead of CONNECT. No need for quotas.
>
> Oh, and RESOURCE is even worse ....
>
> HTH
>

-- 

Pete Finnigan
CEO and Founder
PeteFinnigan.com Limited

Specialists in database security.

Makers of PFCLScan the database security auditing tool.
Makers of PFCLObfuscate the tool to protect IPR in your PL/SQL

If you need help to audit or secure an Oracle database, please ask for
details of our training courses and consulting services

Phone: +44 (0)1904 791188
Fax  : +44 (0)1904 791188
Mob  : +44 (0)7759 277220
email: pete_at_petefinnigan.com
site : http://www.petefinnigan.com

Registered Office: 9 Beech Grove, Acomb, York, YO26 5LD, United Kingdom
Company No       : 4664901
VAT No.          : 940668114

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of PeteFinnigan.com Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Nov 08 2011 - 12:32:46 CST

This message: [ Message body ]
Next message: Howard Latham: "Re: RMAN Recovery - I'm missing a step or something"
Previous message: Don Granaman: "RE: Default user permissions"
In reply to: Pete Finnigan: "Re: Default user permissions"
Next in thread: Don Granaman: "RE: Default user permissions"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message