Re: Removing ALL_ views from users
- From: Dennis Williams <oracledba.williams@xxxxxxxxx>
- To: Andrew Kerber <andrew.kerber@xxxxxxxxx>
- Date: Tue, 31 Mar 2009 11:03:03 -0500
Thanks Andrew,
That was pretty much my first response. Unfortunately this has gone further
than that. What I'm asking is:
Has anyone removed access to any of the ALL_ views?
I'm guessing that since the views are PUBLIC, that would need to be revoked
first.
Thanks,
Dennis
On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <andrew.kerber@xxxxxxxxx>wrote:
> You are talking to an ignorant auditor who thinks the all views show
> everything in the database. If he seriously thinks that knowing other
> usernames is a security risk, go ahead and revoke that one, then explain to
> him that the all* views actually just show objects that each user has access
> to, not everything in the database. I ran into this before, and the problem
> was the guy was trained in accounting, not oracle.
>
>
> On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <
> oracledba.williams@xxxxxxxxx> wrote:
>
>> List,
>>
>> Some security auditors are stating that the ALL_ views are a security risk
>> and are recommending that I revoke them. In particular, they are pointing to
>> ALL_USERS as offering a hacker useful information. My guess is that the ALL_
>> views are granted to PUBLIC. Has anyone had this requirement? Has anyone
>> successfully revoked this access?
>>
>> Dennis
>>
>
>
>
> --
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>
Other related posts: