RE: TOAD Access to other Schemas

  • From: "William Wagman" <wjwagman@xxxxxxxxxxx>
  • To: <Christopher.Boyle@xxxxxxxxxxxxx>, <rjamya@xxxxxxxxx>, <DENISE@xxxxxxxxxxxxxxxxx>
  • Date: Thu, 14 Jun 2007 11:12:07 -0700

A few years ago one of the development groups here started using SQL
Navigator. When first implemented they were unable to perform many tasks
because they didn't have enough access despite  specific access having
been granted to objects in other schemas on an as needed basis. The
immediate request (demand actually) was to grant DBA access. I said no
and instead worked with Quest to find out where the problem was. I
learned that in order for many of the SQL Navigator development tools to
work select access on a number of the DBA_ views was required. Once I
granted that everyone was sort of happy, although still a bit annoyed
that I wouldn't just grant blanket DBA access. I suspect that may be all
that is necessary in TOAD as well although I don't know. It took some
work on my part but I was able to get them back to work without granting
global privileges. Besides, I learned something about SQL Navigator too.
 

Bill Wagman
Univ. of California at Davis
IET Campus Data Center
wjwagman@xxxxxxxxxxx
(530) 754-6208 

 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Boyle, Christopher
Sent: Thursday, June 14, 2007 7:40 AM
To: rjamya@xxxxxxxxx; DENISE@xxxxxxxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: RE: TOAD Access to other Schemas



I couldn't agree with Raj more (and I used to be one of his developers
too!)    I am in the process of having the developers' access to the
schema that holds the tables revoked.  They can work in an _USER schema
and qualify their references but too many "I couldn't wait to follow the
procedures so I made the changes myself" that never got included in a
model or build script have warranted this type of lock down.  (Plus,
they get the scripts wrong.  Not all the developers.  Not even most or
many of the developers.  But enough.)

 

________________________________

From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of rjamya
Sent: Wednesday, June 13, 2007 10:08 PM
To: DENISE@xxxxxxxxxxxxxxxxx
Cc: oracle-l@xxxxxxxxxxxxx
Subject: Re: TOAD Access to other Schemas

 

this is a BIG NO NO. In-fact you can get away with SELECT ANY TABLE, but
that too is a NO NO in production/devl environment. Anyone who claims
they cannot do any development without these privs is trying for a easy
workaround (aka borderline lazy). 

 

Ask them what they want, and grant only that, nothing more. Any blanket
privilege (e.g. %ANY% types) are _bad_ imho in development environment
because you will need those in production then too.

 

My $0.0185 

Raj
 


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


NOTICE OF CONFIDENTIALITY: Information included in and/or attached to
this electronic mail transmission may be confidential. This electronic
mail transmission is intended for the addressee(s) only. Any
unauthorized disclosure, reproduction, or distribution of, and/or any
unauthorized action taken in reliance on the information in this
electronic mail is prohibited. If you believe that you have received
this electronic mail transmission in error, please notify the sender by
reply transmission, or contact helpdesk@xxxxxxxxxxxxx
<mailto:helpdesk@xxxxxxxxxxxxx> , and delete the message without copying
or disclosing it.  

Other related posts: