Hi Stefan,
Thanks for there suggestion but I can't see any source text with "EXEMPT ACCESS
POLICY" in it. I guess it could be wrapped and hidden somewhere in the SYS
schema but that seems unlikely. I'll check if there are any objects there that
don't appear in other databases of the same version.
I guest the easiest way to check this would be to put a trace on the logon but
that's hard for political reasons.
Thanks,Charlotte
On Monday, November 4, 2019, 07:20:12 PM GMT, Stefan Knecht
<knecht.stefan@xxxxxxxxx> wrote:
And I think the final possibility - if it's not proxy users - would be that
the user calls a package defined with AUTHID DEFINER, but owned by another user
that has that privilege.
On Tue, Nov 5, 2019 at 1:59 AM Jonathan Lewis <jonathan@xxxxxxxxxxxxxxxxxx>
wrote:
Do you make use of proxy users ?
Do you have any users with this privilege ?
Regards
Jonathan Lewis
________________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> on behalf
of Charlotte Hammond <dmarc-noreply@xxxxxxxxxxxxx>
Sent: 04 November 2019 18:36
To: dmarc-noreply@xxxxxxxxxxxxx; Stefan Knecht
Cc: Oracle-L Freelists
Subject: Re: Where is this Privilege coming from?
Hi Stefan,
Yes - VPD is in use. We see EXEMPT ACCESS POLICY in the audit trail when any
of the tables with a policy on it is accessed by this user. So that makes
sense. But I just can't figure out how it is getting the privilege in the
first place.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht
<knecht.stefan@xxxxxxxxx> wrote:
Are you using VPD in that database?
On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond
<dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>> wrote:
Hello All,
In my database audit trail I can see lots of entries for use of the privilege
"EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user (a shared
account used by the front end application - sessions are created/destroyed
dynamically through the day). The RETURNCODE is 0 for these entries.
However this database user does not have this privilege granted to them either
directly or through a role (and the 1 role they have does not have any system
privileges). Also, if I log in directly as this database user using sqlplus I
do not have this privilege. I presume the application is doing something
special when it creates the session but I cannot think what!
So where is this privilege coming from to appear in the audit trail? Any
suggestions on how to track this down much appreciated!
Thanks,
Charlotte
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net<http://zztat.net/> | @zztat_oracle |
fb.me/zztat<http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>
--
//www.freelists.org/webpage/oracle-l
--
//zztat - The Next-Gen Oracle Performance Monitoring and Reaction
Framework!Visit us at zztat.net | @zztat_oracle | fb.me/zztat | zztat.net/blog/