RE: CREATE DATABASE LINK privilege discussion

From: "Storey, Robert (DCSO)" <RStorey@xxxxxxxxxxxxxxxxxx>
To: <ChrisDavid.Taylor@xxxxxxxxxxxxxxx>, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx>
Date: Tue, 1 Nov 2011 09:58:53 -0500
Maybe a bigger trout is needed?

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Taylor, Chris David
Sent: Monday, October 31, 2011 2:53 PM
To: 'Guillermo Alan Bort'
Cc: 'Joel.Patterson@xxxxxxxxxxx'; 'oracle-l@xxxxxxxxxxxxx'
Subject: RE: CREATE DATABASE LINK privilege discussion

I effectively slapped him with a large trout when I told him he was
acting like my 14 year old after he criticized me through IM because he
*assumed* I removed his privs, when in fact he missed a grant - I also
felt the need to point out to him the reason his process broke was
because he failed to identify the grants he needed.
Needless to say, that has *not* helped the situation.
Funny thing is, I've already mentioned replicating the data into both
DEV & PROD so he has access to it.  (We have a dev db that gets rebuilt
from prod every weekend).  That way the data would always exist in prod
and he would always have access to it in the refreshed dev instance.  Of
course, that suggestion hasn't gotten any traction.

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent
effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.

From: alanbort@xxxxxxxxx [mailto:alanbort@xxxxxxxxx] On Behalf Of
Guillermo Alan Bort
Sent: Monday, October 31, 2011 2:41 PM
To: Taylor, Chris David
Cc: Joel.Patterson@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: CREATE DATABASE LINK privilege discussion

Just a crazy thought, but if he ABSOLUTELY NEEDS THE DATA, you can set
up some from of replication (if it's a single table AQ or Streams could
work, GG if you have the license) and let him work off a replica of the
data. Probably he needs a subset of tables and not the entire prod
database. That way you remove the need for him to use db links, you come
out as "solution oriented" and you get those dirty, dirty DB links off
your prod database.

That, or slap the developer with a large trout... your call.

Cheers and HTH
Alan.-

On Mon, Oct 31, 2011 at 4:00 PM, Taylor, Chris David
<ChrisDavid.Taylor@xxxxxxxxxxxxxxx<mailto:ChrisDavid.Taylor@ingrambarge.
com>> wrote:
It's good to know that I'm not off base here.  I knew that it was SOP to
keep devs out of production and creating database links was typically
the purview of the Administrators.  Good to know that I wasn't crazy I
guess.

Thanks,

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent
effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.

-----Original Message-----
From: Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>
[mailto:Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>]
Sent: Monday, October 31, 2011 1:52 PM
To: Taylor, Chris David;
oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: RE: CREATE DATABASE LINK privilege discussion

Hmmm.  This implies that he needs 'real time' data.   But he is
developing, and probably should be working off of 'refreshed' data,
whenever that was... why can't it be old.   I wouldn't think that he has
to have up to the minute data to develop.

Seems like there might be more going on here than development.  Maybe a
little testing, verification .... something.   These databases normally
are refreshed with data utilizing one method or another...   Everyone
seems to want the latest data, normally these users run reports, but
this is still dev.

The list seems to have formed a consensus around the issue, so you can
take that to heart.

Joel Patterson
Database Administrator
904 727-2546<tel:904%20727-2546>

-----Original Message-----
From: Taylor, Chris David
[mailto:ChrisDavid.Taylor@xxxxxxxxxxxxxxx<mailto:ChrisDavid.Taylor@ingra
mbarge.com>]
Sent: Monday, October 31, 2011 9:27 AM
To: Patterson, Joel;
'oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>'
Subject: RE: CREATE DATABASE LINK privilege discussion

He's using a package in the dev database to query data from production
to build result sets in the dev instance which have views built on top
of them.

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent
effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.


-----Original Message-----
From: Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>
[mailto:Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>]
Sent: Monday, October 31, 2011 8:24 AM
To: Taylor, Chris David;
oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: RE: CREATE DATABASE LINK privilege discussion

If he has the password, (hence creating link), then why not just log
directly in?   Things would be faster and easier surely, I mean Shirley.

Joel Patterson
Database Administrator
904 727-2546<tel:904%20727-2546>

-----Original Message-----
From: Taylor, Chris David
[mailto:ChrisDavid.Taylor@xxxxxxxxxxxxxxx<mailto:ChrisDavid.Taylor@ingra
mbarge.com>]
Sent: Monday, October 31, 2011 9:19 AM
To: Patterson, Joel;
'oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>'
Subject: RE: CREATE DATABASE LINK privilege discussion

I *KNOW*.  It's killing me.

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent
effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.


-----Original Message-----
From: Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>
[mailto:Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>]
Sent: Monday, October 31, 2011 7:56 AM
To: Taylor, Chris David;
oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: RE: CREATE DATABASE LINK privilege discussion

I cannot remember anyplace I have ever worked that did not have a policy
against connecting to prod from any other database except another
production database.    Sometimes production connects to dev/test/accp,
but never the other direction.

Joel Patterson
Database Administrator
904 727-2546<tel:904%20727-2546>

-----Original Message-----
From:
oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxx
rg>] On Behalf Of Taylor, Chris David
Sent: Saturday, October 29, 2011 11:20 AM
To: 'oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>'
Subject: CREATE DATABASE LINK privilege discussion

I am curious how many of you grant your developers the 'CREATE DATABASE
LINK' privilege in 10g or higher?
We have a production read-only account that is setup to provide support
for troubleshooting production support issues and one of my developers
(out of approximately 20 devs) created a database link from a
development database to production for his application.

Now, this is fast becoming an issue and he keeps complaining that he
needs that privilege and that he should be able to create as many
database links as he wants - wherever he wants (for those environments
he has access to including the production support ID).

We (as an organization) have been sloppy in the past in granting 'CREATE
DATABASE LINK' but thankfully we have developers who normally understand
that you shouldn't use it to create links to a production support id for
app dev.

So how do you handle it?  Is there a good document on what privs app
devs should 'typically' have?  A good industry standards doc or some
such?

Thanks,

Chris Taylor
Sr. Oracle DBA
Ingram Barge Company
Nashville, TN 37205

"Quality is never an accident; it is always the result of intelligent
effort."
-- John Ruskin (English Writer 1819-1900)

CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential
and may also be privileged. If you are not the named recipient, please
notify the sender immediately and delete the contents of this message
without disclosing the contents to anyone, using them for any purpose,
or storing or copying the information on any medium.


--
//www.freelists.org/webpage/oracle-l








--
//www.freelists.org/webpage/oracle-l



--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l
RE: CREATE DATABASE LINK privilege discussion

Other related posts:
