While trying to figure out how to give our data modelers access to read any object, we came across this little caveat where they need "CREATE ANY TRIGGER" to see triggers in all_objects. Ironically, we can grant them "SELECT ANY DICTIONARY" and they can find the triggers from dba_objects, but since they are using a canned app that hardcodes all_objects, that was not happening. But, why would you have to have a relatively powerful system privilege just to see triggers? The relevant part of all_objects is: or ( o.type# in (12) /* trigger */ and exists (select null from v$enabledprivs where priv_number in ( -152 /* CREATE ANY TRIGGER */ ) ) ) What about priv_number 237 (SELECT ANY DICTIONARY)? Or any other innocuous priv? In doing some research, I came across David Litchfield's paper on security: http://securityvulns.com/files/ohh-indirect-privilege-escalation.pdf Also, Pete Finigans: http://www.pentest.co.uk/documents/oracle-security.htm I appreciated Alex Gorbachev's take on the fiasco with SYS and authid as well: http://www.pythian.com/blogs/352/calling-definer-rights-procedure-as-sysdba-security-hole I am sure the issue with all_objects has been addressed, but googling for specific information is like finding a needle in a haystack. -- Charles Schultz