Java Mailing List Archive

http://www.dba.5341.com/

Home » Home (12/2007) » oracle-l »

RE: Global temporary table security

Mercadante, Thomas F

2007-05-18

Replies:

Paul,

 

You said it best!  Easier is not better.


The cardinal rule of database security:

Only grant those privs exactly needed by the application.  “Public” should only be used by Oracle products – never by applications.


Tom

 

This transmission may contain confidential, proprietary, or privileged information which is intended solely for use by the individual or entity to whom it is addressed.  If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, copying or distribution of this transmission or its attachments is strictly prohibited.  In addition, unauthorized access to this transmission may violate federal or State law, including the Electronic Communications Privacy Act of 1985.  If you have received this transmission in error, please notify the sender immediately by return e-mail and delete the transmission and its attachments.


From: oracle-l-bounce@freelists.org [mailto:oracle-l-bounce@freelists.org] On Behalf Of Baumgartel, Paul
Sent: Thursday, May 17, 2007 4:55 PM
To: 'sbootsma@georgebrown.ca'; oracle-l@freelists.org
Subject: RE: Global temporary table security

 

Argh!  "Easier"?  Why not give everyone DBA privileges, then you never have to worry about grants!

 

Tell the other DBA that regardless of the fact that they're GTTs, privileges should be granted only as needed.  Period.

 

Paul Baumgartel
CREDIT SUISSE
Information Technology
Securities Processing Databases Americas
One Madison Avenue
New York, NY 10010
USA
Phone 212.538.1143
paul.baumgartel@credit-suisse.com
www.credit-suisse.com

 

 

From: oracle-l-bounce@freelists.org [mailto:oracle-l-bounce@freelists.org] On Behalf Of Sam Bootsma
Sent: Thursday, May 17, 2007 4:21 PM
To: oracle-l@freelists.org
Subject: Global temporary table security

Hello All,

 

Our Developers are creating Global Temporary tables then granting select, update, delete, and insert privileges to PUBLIC.  These global temporary tables will contain sensitive HR data.  I realize the data is only visible to the current session, but I still don't like having all privileges granted to PUBLIC.  Can anybody tell me if there is a credible security risk to granting these tables to PUBLIC?  For example, due to an Oracle bug or hacking?  Or are there other disadvantages to granting everything to PUBLIC?  Or is it standard practice to grant these tables to public?

 

I would like to grant access only to users that will need the table, but the other DBA prefers to grant PUBLIC, because it is easier.

 

Thanks for any comments!

 

 

Sam Bootsma

Oracle Database Administrator

Information Technology Services
George Brown College

Phone: 416-415-5000 x4933
Fax: 416-415-4836
E-mail: sbootsma@georgebrown.ca

 

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer: 
 
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================

©2008 dba.5341.com - Jax Systems, LLC, U.S.A.