Re: Removing ALL_ views from users

• From: Andrew Kerber <andrew.kerber@xxxxxxxxx>
• To: oracledba.williams@xxxxxxxxx
• Date: Mon, 30 Mar 2009 09:40:48 -0500

You are talking to an ignorant auditor who thinks the all views show
everything in the database.  If he seriously thinks that knowing other
usernames is a security risk, go ahead and revoke that one, then explain to
him that the all* views actually just show objects that each user has access
to, not everything in the database.  I ran into this before, and the problem
was the guy was trained in accounting, not oracle.

On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <
oracledba.williams@xxxxxxxxx> wrote:

> List,
>
> Some security auditors are stating that the ALL_ views are a security risk
> and are recommending that I revoke them. In particular, they are pointing to
> ALL_USERS as offering a hacker useful information. My guess is that the ALL_
> views are granted to PUBLIC. Has anyone had this requirement? Has anyone
> successfully revoked this access?
>
> Dennis
>



-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

• Follow-Ups:
  • Re: Removing ALL_ views from users
    • From: Dennis Williams

• References:
  • Removing ALL_ views from users
    • From: Dennis Williams

Other related posts:

• » Removing ALL_ views from users - Dennis Williams
• » Re: Removing ALL_ views from users - Andrew Kerber
• » Re: Removing ALL_ views from users - Dennis Williams
• » Re: Removing ALL_ views from users - Mayen . Shah
• » Re: Removing ALL_ views from users - Dennis Williams
• » Re: Removing ALL_ views from users - Guillermo Alan Bort
• » Re: Removing ALL_ views from users - Mayen . Shah
• » Re: Removing ALL_ views from users - Dennis Williams

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription