Can't you use SYSTEM instead of SYSDBA? You're not starting up or shutting down. On 19 Nov 2014 14:59, "Hemant K Chitale" <hemantkchitale@xxxxxxxxx> wrote: > > Thank you for the responses. > > A few observations : > 1. "HEMANT" is an active application account -- one that is used by the > application to connect to the schema and query / DML / run batches. So it > is not a "no-session" account. The password for this account is > (expectedly) maintained by the application and vaulted for use for upgrades > / releases / patches. > I would expect the DBA to retrieve the password from the vault and use it > only for the purpose of executing the DDL scripts for the application / > patch. > > 2. I would be unhappy if a DBA were to frequently use "/ AS SYSDBA". > That privilege is to be used only in the rarest cases. > > 3. The ALTER SESSION SET CURRENT_SCHEMA is not mandated to be included in > the script that the development team provides to the DBA. The DBA issues > this command at the sqlplus interactive prompt. There are a number of > possible dangers if (a) he sets it to the wrong schema or (b) he forgets to > issue it. > > Call me unhappy. But I am uncomfortable with the agreement to use AS > SYSDBA. > > > > Hemant K Chitale > ---------- Forwarded message ---------- > From: Hemant K Chitale <hemantkchitale@xxxxxxxxx> > Date: Sun, Nov 16, 2014 at 11:23 PM > Subject: Using SET CURRENT_SCHEMA for DDL and DCL > To: ORACLE-L <oracle-l@xxxxxxxxxxxxx> > > > > I am familiar with ALTER SESSION SET CURRENT_SCHEMA to define the scope > for all queries and DML in a current session. Thus schema "OWNER" can > grant privileges to account "USER" and account "USER" can login as himself > and invoke ALTER SESSION SET CURRENT_SCHEMA to define the scope for > object-resolution without using Synonyms. > > Have you seen or would you condone this : > > CONNECT / AS SYSDBA > ALTER SESSION SET CURRENT_SCHEMA = 'HEMANT' > CREATE TABLE XYZ > GRANT SELECT ON XYZ TO 'CHITALE' > > > Such that > a. The DBA does not need the password for 'HEMANT' > b. The DBA expects the table XYZ to be created in the 'HEMANT' schema > c. The DBA expects HEMANT to grant SELECT privilege to CHITALE > > > > Frankly, I am uncomfortable with this as it doesn't seem proper. I would > rather have the DBA get the password for the 'HEMANT' account from the > password vault and login as HEMANT to execute the CREATE and GRANT commands. > > What is your opinion ? > > -- > > Hemant K Chitale > http://hemantoracledba.blogspot.com > http://hemantscribbles.blogspot.com > > > > > -- > > Hemant K Chitale > http://hemantoracledba.blogspot.com > http://hemantscribbles.blogspot.com > >