Mayen, Just so I understand you correctly, you took a list of each of the ALL_ views, and revoked each of them from PUBLIC? Any database problems afterward? Which database version? Thanks, Dennis On Tue, Mar 31, 2009 at 11:10 AM, <Mayen.Shah@xxxxxxxxxx> wrote: > > I had similar request from auditors. I lost half the battle. Instead of > dropping ALL_ views, I revoked PUBLIC privilege to satisfy auditors. When > developers complained, I asked them to get approval from auditors...never > heard back. > > Thanks > Mayen > > > > > > *"Dennis Williams" <oracledba.williams@xxxxxxxxx>* > Sent by: oracle-l-bounce@xxxxxxxxxxxxx > > Mar 31 2009 12:03 PM Please respond to > oracledba.williams@xxxxxxxxx > > To > "Andrew Kerber" <andrew.kerber@xxxxxxxxx> > cc > "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx> Subject > Re: Removing ALL_ views from users > > > > Thanks Andrew, > > That was pretty much my first response. Unfortunately this has gone further > than that. What I'm asking is: > > Has anyone removed access to any of the ALL_ views? > > I'm guessing that since the views are PUBLIC, that would need to be revoked > first. > > Thanks, > Dennis > > On Mon, Mar 30, 2009 at 9:40 AM, Andrew Kerber > <*andrew.kerber@xxxxxxxxx*<andrew.kerber@xxxxxxxxx>> > wrote: > You are talking to an ignorant auditor who thinks the all views show > everything in the database. If he seriously thinks that knowing other > usernames is a security risk, go ahead and revoke that one, then explain to > him that the all* views actually just show objects that each user has access > to, not everything in the database. I ran into this before, and the problem > was the guy was trained in accounting, not oracle. > > > On Mon, Mar 30, 2009 at 9:32 AM, Dennis Williams <* > oracledba.williams@xxxxxxxxx* <oracledba.williams@xxxxxxxxx>> wrote: > List, > > Some security auditors are stating that the ALL_ views are a security risk > and are recommending that I revoke them. In particular, they are pointing to > ALL_USERS as offering a hacker useful information. My guess is that the ALL_ > views are granted to PUBLIC. Has anyone had this requirement? Has anyone > successfully revoked this access? > > Dennis > > > > -- > Andrew W. Kerber > > 'If at first you dont succeed, dont take up skydiving.' > >