Guest
Guest
We are considering tightening up our OneWorld Xe Oracle database security by
removing table privileges from public and granting the privileges to end
users via a number of roles.
There will be two roles per OneWorld environment, one role with full
privileges on all the environment tables, "<ENV>_FULL_ROLE" and another with
read-only privileges on the environment tables "<ENV>_READONLY_ROLE".
(The latter role will allow additional interfaces to the database external
to OneWorld application).
So we're looking to get a few queries answered:
1. Does anyone know if table privileges are granted to all database user
accounts via the PUBLIC user group only? i.e. table privileges are not
granted to OneWorld end user database accounts via other roles or methods?
2. After revoking table privileges from public and granting them to OneWorld
end user database accounts via environment roles (<ENV>_FULL_ROLE ) do we
also need grant these roles to other OneWorld schema owners such as
"SYS7333", "OBJ7333" etc?
3. Similarly, should each environment have privileges on other environment
tables?
E.g. We granted table privileges on the "TESTDTA" environment to end user
database accounts via a role "TESTDTA_FULL_ROLE". Should this role be
granted to the user "PRODDTA" and other schema owners?
4. Granting table privileges to database user accounts via roles has
limitations. Some privileges cannot be granted via roles. By default, the
following privileges are granted on each table to public; SELECT, INSERT,
UPDATE, DELETE, ALTER, REFERENCES, INDEX.
However the privileges REFERENCES and INDEX cannot be granted on tables to
database user accounts via roles.
Granting these privileges directly to database user accounts is not a
preferable.
Do OneWorld end users really require these two privileges? Is it reasonable
to request that end users requiring these privileges connect as the
environment schema owner (e.g. "TESTDTA") to execute these privileges?
Any tips, pointers on any of the above would be greatly appreciated.
PS: If anyone has a copy of the scripts (below) referred to in the Knowledge
Garden document "Implementing Stricter Oracle Security on a OneWorld
Database" March 2002 I would really appreciate if you would please send them
on to me backchannel
CREATE_NEW_ROLES.BAT
CREATE_NEW_ROLES.SQL
UNDO_ALL_PUBLIC.BAT
UNDO_GRANTS.BAT
UNDO_GRANTS.SQL
OneWorld Xe B7333 SP15.2 - Oracle 8.1.7 - W2K
-------------------------
Seán O' Neill
Organon (Ireland) Ltd.
[subscribed: digest mode]
--------------------------------------------------------------------
This message, including attached files, may contain confidential
information and is intended only for the use by the individual
and/or the entity to which it is addressed. Any unauthorized use,
dissemination of, or copying of the information contained herein is
not allowed and may lead to irreparable harm and damage for which
you may be held liable. If you receive this message in error or if
it is intended for someone else please notify the sender by
returning this e-mail immediately and delete the message.
--------------------------------------------------------------------
removing table privileges from public and granting the privileges to end
users via a number of roles.
There will be two roles per OneWorld environment, one role with full
privileges on all the environment tables, "<ENV>_FULL_ROLE" and another with
read-only privileges on the environment tables "<ENV>_READONLY_ROLE".
(The latter role will allow additional interfaces to the database external
to OneWorld application).
So we're looking to get a few queries answered:
1. Does anyone know if table privileges are granted to all database user
accounts via the PUBLIC user group only? i.e. table privileges are not
granted to OneWorld end user database accounts via other roles or methods?
2. After revoking table privileges from public and granting them to OneWorld
end user database accounts via environment roles (<ENV>_FULL_ROLE ) do we
also need grant these roles to other OneWorld schema owners such as
"SYS7333", "OBJ7333" etc?
3. Similarly, should each environment have privileges on other environment
tables?
E.g. We granted table privileges on the "TESTDTA" environment to end user
database accounts via a role "TESTDTA_FULL_ROLE". Should this role be
granted to the user "PRODDTA" and other schema owners?
4. Granting table privileges to database user accounts via roles has
limitations. Some privileges cannot be granted via roles. By default, the
following privileges are granted on each table to public; SELECT, INSERT,
UPDATE, DELETE, ALTER, REFERENCES, INDEX.
However the privileges REFERENCES and INDEX cannot be granted on tables to
database user accounts via roles.
Granting these privileges directly to database user accounts is not a
preferable.
Do OneWorld end users really require these two privileges? Is it reasonable
to request that end users requiring these privileges connect as the
environment schema owner (e.g. "TESTDTA") to execute these privileges?
Any tips, pointers on any of the above would be greatly appreciated.
PS: If anyone has a copy of the scripts (below) referred to in the Knowledge
Garden document "Implementing Stricter Oracle Security on a OneWorld
Database" March 2002 I would really appreciate if you would please send them
on to me backchannel
CREATE_NEW_ROLES.BAT
CREATE_NEW_ROLES.SQL
UNDO_ALL_PUBLIC.BAT
UNDO_GRANTS.BAT
UNDO_GRANTS.SQL
OneWorld Xe B7333 SP15.2 - Oracle 8.1.7 - W2K
-------------------------
Seán O' Neill
Organon (Ireland) Ltd.
[subscribed: digest mode]
--------------------------------------------------------------------
This message, including attached files, may contain confidential
information and is intended only for the use by the individual
and/or the entity to which it is addressed. Any unauthorized use,
dissemination of, or copying of the information contained herein is
not allowed and may lead to irreparable harm and damage for which
you may be held liable. If you receive this message in error or if
it is intended for someone else please notify the sender by
returning this e-mail immediately and delete the message.
--------------------------------------------------------------------