Re: all_objects: anyone know why Oracle decided to only make triggers viewable with "CREATE ANY TRIGGER" system priv?
- From: "Charles Schultz" <sacrophyte@xxxxxxxxx>
- To: mark.powell@xxxxxxx
- Date: Tue, 30 Oct 2007 08:20:40 -0500
Here is what I do not like. If you give someone the ability to select any
dictionary, a user has the necessary privs to select trigger information
from dba_objects, but not all_objects. That seems a bit backwards. If
security were such a big concern, why allow access to dba_objects instead of
all_objects? Why not just make a private synonym for dba_objects called
all_objects? =)
DBARMAN_SQL > grant create session, select any dictionary to test identified
by test;
Grant succeeded.
DBARMAN_SQL > connect test/test
Connected.
DBARMAN_SQL > select count(*) from all_objects where object_type =
'TRIGGER';
COUNT(*)
----------
0
DBARMAN_SQL > select count(*) From dba_objects where object_type =
'TRIGGER';
COUNT(*)
----------
4
On 10/29/07, Powell, Mark D <mark.powell@xxxxxxx> wrote:
>
> Security. By default on the owner and DBA's can see trigger (and also
> package body) source.
>
> Triggers are often used for auditing. If you can see what the trigger
> does then you can write the DML to remove the generated trail.
>
> There are ways to provide access to source code without granting DBA or
> ANY privileges. For developers we provide a modified version of the
> user_source view that we then grant select on.
>
> -- Mark D Powell --
> Phone (313) 592-5148
>
--
Charles Schultz
Other related posts:
