Re: view privilege

• From: Paul Drake <bdbafh@xxxxxxxxx>
• To: stellr@xxxxxxxxxx
• Date: Mon, 25 Apr 2005 15:33:48 -0400

On 4/25/05, Ray Stell <stellr@xxxxxxxxxx> wrote:
>=20
> From the 9.2 docs:
>=20
> The owner of the view (whether it is you or another user) must have
> been explicitly granted privileges to access all objects referenced in
> the view definition. The owner cannot have obtained these privileges
> through roles.
>=20
> What is the logic behind the role restriction?  Why is a role less
> secure in the ora architecture?  Thanks.
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Ray Stell  stellr@xxxxxx  (540) 231-4109  Tempus fugit  28^D

Roles, if granted, may or may not be enabled in a user session at runtime.
Roles may have had their sys_privs changed between compile time and runtime=
.
Sounds to me like roles leave holes (for privilege escalation).

Before compiling the view, issue the following:

SQL> set role none;

hth.

Paul



--=20
#/etc/init.d/init.cssd stop
-- f=3Dma, divide by 1, convert to moles.
--
http://www.freelists.org/webpage/oracle-l

• References:
  • view privilege
    • From: Ray Stell

Other related posts:

• » view privilege
• » Re: view privilege
• » RE: view privilege

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription