Re: roles + pl/sql
- From: Bill Ferguson <wbfergus@xxxxxxxxx>
- To: kennethnaim@xxxxxxxxx
- Date: Mon, 20 Dec 2010 11:14:04 -0700
Could it possibly be to prevent rogue developer from assinging roles
in some PL/SQL code they wrote to bypass some of the other builtin
security.
Say they write a PL/SQL routine to access the finacial tables and make
a copy of them in another schema. They don't have the proper
permission available through their permissions, so they write one and
set the role to one that does. They then give it a clever name and
toss it out there in some common spot where everybody stores code
snippets and wait for somebody with the proper permissions to run it,
then they get all the data they wanted (or whatever else they wanted
to do).
Another case may be to help alleviate some potential problems between
dev code and production code. It may be fine and dandy for somebody to
have access to the ALL_FINANCIALS role on development, but you
probably don't want to have that accidentally slip over into
production. Forcing a full, conscious decision on the DBA of the
database instead of relying on the honesty and integrity of every
single developer (or those with developer rights) is probably not the
safest assumption to make.
Just a couple things off the top of my head. I'm dead tired and maybe
not thinking clearly either though....
--
-- Bill Ferguson
--
//www.freelists.org/webpage/oracle-l
Other related posts:
