Re: Removing ALL_ views from users
- From: Mayen.Shah@xxxxxxxxxx
- To: oracledba.williams@xxxxxxxxx
- Date: Tue, 31 Mar 2009 12:10:25 -0400
I had similar request from auditors. I lost half the battle. Instead of
dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When
developers complained, I asked them to get approval from auditors...never
heard back.
Thanks
Mayen
"Dennis Williams" <oracledba.williams@xxxxxxxxx>
Sent by: oracle-l-bounce@xxxxxxxxxxxxx
Mar 31 2009 12:03 PM
Please respond to
oracledba.williams@xxxxxxxxx
To
"Andrew Kerber" <andrew.kerber@xxxxxxxxx>
cc
"oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
Subject
Re: Removing ALL_ views from users
Thanks Andrew,
That was pretty much my first response. Unfortunately this has gone
further than that. What I'm asking is:
Has anyone removed access to any of the ALL_ views?
I'm guessing that since the views are PUBLIC, that would need to be
revoked first.
Thanks,
Dennis
On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber <andrew.kerber@xxxxxxxxx>
wrote:
You are talking to an ignorant auditor who thinks the all views show
everything in the database. If he seriously thinks that knowing other
usernames is a security risk, go ahead and revoke that one, then explain
to him that the all* views actually just show objects that each user has
access to, not everything in the database. I ran into this before, and
the problem was the guy was trained in accounting, not oracle.
On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <
oracledba.williams@xxxxxxxxx> wrote:
List,
Some security auditors are stating that the ALL_ views are a security risk
and are recommending that I revoke them. In particular, they are pointing
to ALL_USERS as offering a hacker useful information. My guess is that the
ALL_ views are granted to PUBLIC. Has anyone had this requirement? Has
anyone successfully revoked this access?
Dennis
--
Andrew W. Kerber
'If at first you dont succeed, dont take up skydiving.'
Other related posts:
