I had similar request from auditors. I lost half the battle. Instead of dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When developers complained, I asked them to get approval from auditors...never heard back. Thanks Mayen "Dennis Williams" <oracledba.williams@xxxxxxxxx> Sent by: oracle-l-bounce@xxxxxxxxxxxxx Mar 31 2009 12:03 PM Please respond to oracledba.williams@xxxxxxxxx To "Andrew Kerber" <andrew.kerber@xxxxxxxxx> cc "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx> Subject Re: Removing ALL_ views from users Thanks Andrew, That was pretty much my first response. Unfortunately this has gone further than that. What I'm asking is: Has anyone removed access to any of the ALL_ views? I'm guessing that since the views are PUBLIC, that would need to be revoked first. Thanks, Dennis On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <andrew.kerber@xxxxxxxxx> wrote: You are talking to an ignorant auditor who thinks the all views show everything in the database. If he seriously thinks that knowing other usernames is a security risk, go ahead and revoke that one, then explain to him that the all* views actually just show objects that each user has access to, not everything in the database. I ran into this before, and the problem was the guy was trained in accounting, not oracle. On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams < oracledba.williams@xxxxxxxxx> wrote: List, Some security auditors are stating that the ALL_ views are a security risk and are recommending that I revoke them. In particular, they are pointing to ALL_USERS as offering a hacker useful information. My guess is that the ALL_ views are granted to PUBLIC. Has anyone had this requirement? Has anyone successfully revoked this access? Dennis -- Andrew W. Kerber 'If at first you dont succeed, dont take up skydiving.'