Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: DA Morgan <damorgan_at_x.washington.edu>
Date: Mon, 06 Dec 2004 08:17:04 -0800
Message-ID: <1102349725.487447@yasure> 





Niall Litchfield wrote:


>>If it is good enough for Tom Kyte ... it is good enough for me to
>>reference.  ;-)




>  

> Well possibly. Tom doesn't advocate *dropping* any of the roles - he

> advocates not *using* them, on my reading anyway. This is not quite the

> same thing.




I agree. But I have read elsewhere specific advice to drop them as they
are a security risk just by existing. Alternatively one can keep the
roles but drop those privs from them that are inappropriate.



I disagree that dropping CONNECT and RESOURCE will screw up any
aspect of Oracle. But if you insist certainly one could edit those
default roles to remove inappropriate privileges. What end-user,
for example, needs the ability to create clusters and database links?
And what DBA would want them to if they even knew what they were?

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)


Received on Mon Dec 06 2004 - 10:17:04 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US