RE: Authorete
- From: April Wells <AWells@xxxxxxxxxx>
- To: "'oracle-l@xxxxxxxxxxxxx'" <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 12 Mar 2004 08:14:34 -0600
you have to use the pointy clicky and it has to have xyz privileges and it
looks at abc table and it expects abc table to be abc instead of
THE$AUTHORETE$AUTH.a and THE$AUTHORETE$AUTH.b and THE$AUTHORETE$AUTH.c
BUT
THE$AUTHORETE$AUTH can also DROP its tables and alter ist tables (NOT that I
have had anyone log in as an APPS owner and drop a production table and wait
a week to fess up to it ... but.. ya know... ).
SO...
JOEBLOW userid has to log in and see the USER table and the PRIVILEGE table
and the GRANT table with those <exact> ever so clever names and everyone who
uses the front end has to have the ability to know that userid and
password... but if they know the THE$AUTHORETE$AUTH userid they can not
only alter data and use the pointy clicky, they can TRASH whatever it owns.
This really wasn't that complicated... I know what I need it to do and what
I need it not to be able to do, I just walked into this project in the
middle of the conversation because the person who didn't leave documentation
on anything (ya know... like passwords or what anything is about with the
stupid product) is in MEXICO and they needed to upgrade the objects and they
needed to pipe in SQL Server data, but NEEDED to use the pointy clicy to get
the data in because "I" am not allowed to get any information on the SQL
Server end to be of any assistance and the tech on the phone said just drop
all of the objects and let the pointy clicky do it (so everything that the
Authorete DBA did in the first place ... with no documentation... went bye
bye after all of the underlying objects were dropped... and the JOEBLOW user
could no longer log in because it wanted the USER and the PRIVILEGE table to
be "USER" and "PRIVILEGE" not THE$AUTHORETE$AUTH.USER or
THE$AUTHORETE$AUTH.PRIVILEGE....
AND, other than creating all the synonyms to the THE$AUTHORETE$AUTH.<TABLE>
under JOEBLOW account... there weren't many other ways I could figure out to
make JOEBLOW see USER as USER instead of THE$AUTHORETE$AUTH.USER...
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: John Flack [mailto:JohnF@xxxxxxxx]
Sent: Friday, March 12, 2004 7:46 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Authorete
I'm trying to get a handle on exactly what you want the programmers to be
able to do, and what you don't want them able to do.
If you are just trying to keep them from doing DDL, then you give them all
their own user accounts, create and grant a "programmer" role with SELECT,
INSERT, UPDATE and DELETE on the tables. The tables are owned by a separate
application schema to which only you have the password. It might not even
have the connect privilege.
Want to limit the rows on which they may operate too? Look into Vitual
Private Database.
Want to give them limited and highly controlled access to DDL? Create a DDL
package in the application schema with procedures that do EXECUTE IMMEDIATE
commands for each DDL that you want to allow, then grant the programmer role
EXECUTE on the package. You can add all kinds of code to control exactly
what they can do, and even have it e-mail you every time they use it, to let
you know what they are up to.
-----Original Message-----
From: April Wells [mailto:AWells@xxxxxxxxxx]
Sent: Friday, March 12, 2004 7:49 AM
To: 'oracle-l@xxxxxxxxxxxxx'
Subject: RE: Authorete
Ya know, I was thinking maybe adopting the idea of medieval times... if you
get caught screwing around with the tables, I cut off your fingers... but
there is this company policy against bodily harm against programmers... the
SPCA comes around and fines you for hurting dumb animals...
This was safer.
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: Goulet, Dick [mailto:DGoulet@xxxxxxxx]
Sent: Thursday, March 11, 2004 3:26 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Authorete
Shackles work very well in that case. Possibly you could borrow a few pairs
of handcuffs from the local police department!! *-)
Dick Goulet
Senior Oracle DBA
Oracle Certified 8i DBA
-----Original Message-----
From: April Wells [mailto:AWells@xxxxxxxxxx]
Sent: Thursday, March 11, 2004 3:08 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Authorete
no, I don't think that will give me what I'm really after...
The idea is to tie the hands of the programmers to such an extent that I
KNOW what they can and can not do... and how bad they can put me in a bind.
The information contained in this communication, including attachments, is
strictly confidential and for the intended use of the addressee only; it may
also contain proprietary, price sensitive, or legally privileged information.
Notice is hereby given that any disclosure, distribution, dissemination, use,
or copying of the information by anyone other than the intended recipient is
strictly prohibited and may be illegal. If you have received this communication
in error, please notify the sender immediately by reply e-mail, delete this
communication, and destroy all copies.
Corporate Systems, Inc. has taken reasonable precautions to ensure that any
attachment to this e-mail has been swept for viruses. We specifically disclaim
all liability and will accept no responsibility for damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Other related posts:
