Dear listers, I tried to come up with a good name for this post but couldn't. So here goes the story: I have been asked to review a product that management is _very_ keen to deploy in production. Unfortunately before this can happen it has to go through a change management process which implies that "troublemakers" like me can raise their concerns that need addressing. For a change I have access to the source code of the application which makes it even more interesting. I discovered a number of things I don't like but was wondering what you thought about these-maybe I'm just pedantic? Among the most terrifying ones are: - The installation script creates a user (default username = password) and grants select privileges on the dictionary to the new application user with grant option. This is not too great but not too difficult to harden. - the installation script furthermore creates objects in the sys schema, namely create view foo as select * from someX$view This is disturbing for me - the owner of the application schema grants almost complete access on its schema to public. The rationale is that the application needs to allow a user logging into the database through the frontend access to its schema Now since the software is used for monitoring the health of a web application through the tiers-including Oracle-anyone with connect privileges could access these data... Did anyone made a similar experience? What did you do? Interested to hear comments! Martin -- //www.freelists.org/webpage/oracle-l