*sigh*. Yeah. I know that feeling, too. All too well. On the plus side, if the directors have approved this -- over your objections -- it will be (somewhat) more difficult for them to blame *you* for the disasters that eventually arise from it. Good luck! On Wed, Mar 18, 2015 at 10:56 AM, Kumar Madduri <ksmadduri@xxxxxxxxx> wrote: > Thanks Mark. I have raised those points as well with my manager. > The problem is the developers get approvals from 'directors' who think > they are technical and don't like to be questioned by the DBAs. I still do > and get in to bad books :) > > On Wed, Mar 18, 2015 at 7:21 AM, MARK BRINSMEAD <mark.brinsmead@xxxxxxxxx> > wrote: > >> Security considerations aside (and they *are* completely valid >> considerations), you should probably talk to the developers and find out >> exactly what they are thinking, and WHY they think the need to be able to >> flashback tables. >> >> Is this a feature that they plan to rely on in their code? Do they >> understand that it is not guaranteed to work? (It will fail if you don't >> have enough UNDO on hand to reach the requested SCN.) Do they have a plan >> for dealing with it when it *does* fail? Have they considered how this >> might affect concurrency? >> >> Your developers may be rock-solid and know exactly what they are doing >> and why they are doing it. In my own experience, though, I have rarely >> (but sometimes!) found that to be the case. :-) >> >> >> On Wed, Mar 18, 2015 at 8:09 AM, Brent Day <coloradodba@xxxxxxxxx> wrote: >> >>> Kumar, >>> >>> You are right - this is a security risk and my recommendation would be >>> to never grant any "ANY" system privileges. There have been many easily >>> exploitable privilege escalations bugs around the "ANY" grants. While many >>> of these have been fixed provided you keep up with CPU/PSU patching. The >>> flashback any privilege in the past had problems - see CVE-2012-1751. While >>> this has been fixed you just never know when some patch or upgrade may >>> break this again. >>> >>> As a general rule we do not allow any user or application account to >>> have any of the ANY system privileges. >>> >>> If I was in your position I would get with the developers and find out >>> what they are trying to accomplish and maybe find an alternative method to >>> meet the requirements without granting flashback any. >>> >>> Hope that helps. >>> >>> Brent >>> >>> >>> >>> On Wed, Mar 18, 2015 at 5:50 AM, Kumar Madduri <ksmadduri@xxxxxxxxx> >>> wrote: >>> >>>> Hello: >>>> Our developers have requested flashback any table to be given to apps >>>> (in an ebusiness environment). They would not have the apps password in >>>> production. I think they are using it to build some feature in a custom >>>> app. >>>> Regardless of their motivation, I think this is a security risk because >>>> why would a developer want this privilege in a production environment. >>>> >>>> I cant think like a hacker but it does not sound right to me. >>>> Want to confirm with the list if I am missing something ? >>>> >>>> Thank you >>>> Kumar >>>> >>> >>> >> >