Hi John, Thanks for suggesting FGAC - that hadn't occurred to me, but I guess I could simply set up a policy function along the lines of 'sys_context('USERENV','SESSION_USER') != READONLYUSER' and add it for statement types insert, update and delete on all tables. And then allow a free-for-all on executing the packages. I guess this is similar in principle to Mark Bobak's suggestion - to allow the PL/SQL access but block any actual DML that is attempted, only using DBMS_RLS instead of triggers. Stephane Faroult is trying to persuade me that the impact using triggers won't be that great - and I'll believe him! - but I'd be comfortable using DBMS_RLS as we had it on an other similar system and it didn't have any noticeable performance hit. Thanks to everyone who responded, all much appreciated! - Charlotte On Thu, 16 Dec 2004 08:45 , John Shaw <John.Shaw@xxxxxxxxxxxxxxxxxxx> sent: The ever popular fine grain access [... details snipped ... ] --------------------------------- Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. Learn more. -- //www.freelists.org/webpage/oracle-l