Re: Removing ALL_ views from users

  • From: Andrew Kerber <andrew.kerber@xxxxxxxxx>
  • To: oracledba.williams@xxxxxxxxx
  • Date: Mon, 30 Mar 2009 09:40:48 -0500

You are talking to an ignorant auditor who thinks the all views show
everything in the database.  If he seriously thinks that knowing other
usernames is a security risk, go ahead and revoke that one, then explain to
him that the all* views actually just show objects that each user has access
to, not everything in the database.  I ran into this before, and the problem
was the guy was trained in accounting, not oracle.

On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <
oracledba.williams@xxxxxxxxx> wrote:

> List,
> Some security auditors are stating that the ALL_ views are a security risk
> and are recommending that I revoke them. In particular, they are pointing to
> ALL_USERS as offering a hacker useful information. My guess is that the ALL_
> views are granted to PUBLIC. Has anyone had this requirement? Has anyone
> successfully revoked this access?
> Dennis

Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

Other related posts: