You are talking to an ignorant auditor who thinks the all views show everything in the database. If he seriously thinks that knowing other usernames is a security risk, go ahead and revoke that one, then explain to him that the all* views actually just show objects that each user has access to, not everything in the database. I ran into this before, and the problem was the guy was trained in accounting, not oracle. On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams < oracledba.williams@xxxxxxxxx> wrote: > List, > > Some security auditors are stating that the ALL_ views are a security risk > and are recommending that I revoke them. In particular, they are pointing to > ALL_USERS as offering a hacker useful information. My guess is that the ALL_ > views are granted to PUBLIC. Has anyone had this requirement? Has anyone > successfully revoked this access? > > Dennis > -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.'