Security issues in granting v$view select privileges
- From: "Walker, Jed S" <Jed_Walker@xxxxxxxxxxxxxxxxx>
- To: oracle-l-freelists <oracle-l@xxxxxxxxxxxxx>
- Date: Sat, 20 Nov 2010 14:35:31 +0000
We have developers "requiring" select access to all v$views for troubleshooting
purposes. While on first thought this doesn't seem like a big deal, 1) it is
just development, 2) it is just dynamic views, I suspect there is more to
consider.
Concerns we have are:
* that applications will start getting v$view use written in, and our
development is not very good at making sure those things are documented
(usually it's, please add this access the night before go live), this doesn't
give us much time to consider implications of the grant and is even harder to
remove it at that point if necessary.
* we suspect there might be v$views that really should only be visible to the
administrators who have the responsibility of maintaining database integrity.
* eventually for supporting production they'll want all of them on test and
production too and then at that point if there are security, integrity concerns
we've now opened it up in production.
I have made the point this will not be PUBLICly granted and am absolutely
sticking with that.
I'd love to get some outside thoughts on this?
- Jed
Other related posts:
