RE: Default user permissions

  • From: "Mark W. Farnham" <mwf@xxxxxxxx>
  • To: <Leo.Drobnis@xxxxxxxxxxxxxxx>, <Joel.Patterson@xxxxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 8 Nov 2011 11:08:12 -0500

Did you just upgrade to 11g?

There are significant changes in the default permissions to improve
security.

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Leo Drobnis
Sent: Tuesday, November 08, 2011 10:58 AM
To: Joel.Patterson@xxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Default user permissions

Yes, I did:

select * from dba_sys_privs where grantee='BB_STAGE'

no rows selected.

GRANTEE                        GRANTED_ROLE
ADMIN_OPTION
------------------------------ ------------------------------
------------
DEFAULT_ROLE
------------
BB_STAGE                       CONNECT                        NO

YES         
 

1 row selected.

select * from dba_sys_privs where grantee='CONNECT'


GRANTEE                        PRIVILEGE                               
------------------------------ ----------------------------------------
ADMIN_OPTION
------------
CONNECT                        CREATE SESSION                          
NO          
 

1 row selected.


select * from dba_role_privs where grantee='CONNECT'

no rows selected.

Also, public has no privileges...

-----Original Message-----
From: Joel.Patterson@xxxxxxxxxxx [mailto:Joel.Patterson@xxxxxxxxxxx]
Sent: Tuesday, November 08, 2011 10:51 AM
To: Leo Drobnis; oracle-l@xxxxxxxxxxxxx
Subject: RE: Default user permissions

Personally, I skip connect role and just grant create session; but
that's besides the point.   If you want minimum of permissions, why not
say quota 0 on users.

Are you sure you checked dba_role_privs where grantee = 'CONNECT' and
dba_sys_privs?  Because what you describe should not allow bb_stage to
create tables without CREATE TABLE somewhere.



Joel Patterson
Database Administrator
904 727-2546

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Leo Drobnis
Sent: Tuesday, November 08, 2011 10:44 AM
To: ORACLE-L
Subject: Default user permissions

I am a bit puzzled, maybe I am getting rusty.
 

I need to create a user with bare minimum permissions:

 

CREATE USER bb_stage

IDENTIFIED BY "password"

DEFAULT TABLESPACE users

TEMPORARY TABLESPACE TEMP;

GRANT CONNECT TO bb_stage;

ALTER USER bb_stage QUOTA UNLIMITED ON "USERS";

 

Connect role only has create session.

Public has no privileges.

 

However the newly created user can create and drop tables.

 

I am trying to find where it's coming from.

 

Any idea???


--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


Other related posts: