Re: view privilege
- From: Paul Drake <bdbafh@xxxxxxxxx>
- To: stellr@xxxxxxxxxx
- Date: Mon, 25 Apr 2005 15:33:48 -0400
On 4/25/05, Ray Stell <stellr@xxxxxxxxxx> wrote:
>=20
> From the 9.2 docs:
>=20
> The owner of the view (whether it is you or another user) must have
> been explicitly granted privileges to access all objects referenced in
> the view definition. The owner cannot have obtained these privileges
> through roles.
>=20
> What is the logic behind the role restriction? Why is a role less
> secure in the ora architecture? Thanks.
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Ray Stell stellr@xxxxxx (540) 231-4109 Tempus fugit 28^D
Roles, if granted, may or may not be enabled in a user session at runtime.
Roles may have had their sys_privs changed between compile time and runtime=
.
Sounds to me like roles leave holes (for privilege escalation).
Before compiling the view, issue the following:
SQL> set role none;
hth.
Paul
--=20
#/etc/init.d/init.cssd stop
-- f=3Dma, divide by 1, convert to moles.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
