Re: Removing ALL_ views from users

You are talking to an ignorant auditor who thinks the all views show
everything in the database.  If he seriously thinks that knowing other
usernames is a security risk, go ahead and revoke that one, then explain to
him that the all* views actually just show objects that each user has access
to, not everything in the database.  I ran into this before, and the problem
was the guy was trained in accounting, not oracle.

On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <
oracledba.williams@xxxxxxxxx> wrote:

> List,
>
> Some security auditors are stating that the ALL_ views are a security risk
> and are recommending that I revoke them. In particular, they are pointing to
> ALL_USERS as offering a hacker useful information. My guess is that the ALL_
> views are granted to PUBLIC. Has anyone had this requirement? Has anyone
> successfully revoked this access?
>
> Dennis
>



-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

Other related posts: