The middle ground here seems very simple. Ask for access to the list of v$views that you require.
Ken Naim
-- --Original Message-- -- From: oracle-l-bounce@(protected) [mailto:oracle-l-bounce@(protected)] On Behalf Of Reidy, Ron Sent: Thursday, June 09, 2005 1:31 PM To: John P Weatherman; oracle-l@(protected) Subject: RE: Password for sys, system account - Uncooperative client
Sorry for getting back to this one so late...
The issue is select any dictionary gives overrides the = 07_dictionary_accessibility parameter. It gives access to (among = others):
1. LINK$ - passwords in clear text 2. DBA_USERS - access to the password hash. Admittedly, not = easy/possible to crack, but access is given none the less.
Regardless of what OEM requires/demands, this privilege is not one to = grant lightly. Actually, if one looks closely, use of this privilege in = OEM looks to be the lazy way of granting access to the objects for the = application to work properly.
My $0.02
-- ---- ---- ---- Ron Reidy Lead DBA Array BioPharma, Inc.
-- --Original Message-- -- From: John P Weatherman [mailto:asahoshi@(protected)] Sent: Thursday, June 09, 2005 9:36 AM To: Reidy, Ron; oracle-l@(protected) Subject: RE: Password for sys, system account - Uncooperative client
Ron,
I read the article and see where it says not to grant it, but I do not = see anything about it "subverting" anything. Rather it seems to be a = concern that this may be more privilege than is needed and so violates = the "least privilege principle". I wouldn't want to generally grant = this or any "ANY" privilege, but I still do not see a specific risk to = granting admins/consultant admins this level of view privilege. Are you = able to use this to 1) see actual company data and not just the = dictionary views or 2) update anything? If not, what is the specific = concern? What am I missing?
Thanks!
-- --Original Message-- -- From: "Reidy, Ron" <Ron.Reidy@(protected)> Sent: Jun 9, 2005 10:59 AM To: asahoshi@(protected), oracle-l@(protected) Subject: RE: Password for sys, system account - Uncooperative client
Because it subverts a security setting. See = http://www.petefinnigan.com/weblog/archives/00000009.htm
-- ---- ---- ---- Ron Reidy Lead DBA Array BioPharma, Inc.
-- --Original Message-- -- From: oracle-l-bounce@(protected) [mailto:oracle-l-bounce@(protected)]On Behalf Of John P Weatherman Sent: Thursday, June 09, 2005 8:54 AM To: oracle-l@(protected) Subject: RE: Password for sys, system account - Uncooperative client
While I totally agree that sys and system don't need to be given to = anyone other than the primary DBA and then sealed in an envelope hidden = away in a safe, I am not so clear on why granting select any dictionary = is as big a concern. As far as I know, this only allows view access to = the data dictionary, which pretty much anyone doing any tuning or = monitoring probably needs. Even OEM assumes a non-sys/non-system = account with this level of privilege which is used for monitoring. Is = there a specific reason not to let people have select any dictionary? =20
Just curious.
-- --Original Message-- -- From: "Goulet, Dick" <DGoulet@(protected)> Sent: Jun 9, 2005 10:35 AM To: ranko.mosic@(protected), oracle-l@(protected) Subject: RE: Password for sys, system account - Uncooperative client
Assuming that you made the request of the client using the same tone as here, I'm not surprised. Why do you need an account with such priviledges? In general NO one outside of the DBA group here has access to SYS or SYSTEM, including internal folks.
Dick Goulet Senior Oracle DBA Vicor Corporation Andover, MA USA=3D20
-- --Original Message-- -- From: oracle-l-bounce@(protected) [mailto:oracle-l-bounce@(protected)] On Behalf Of Ranko Mosic Sent: Thursday, June 09, 2005 10:27 AM To: oracle-l@(protected) Subject: Password for sys, system account - Uncooperative client
Hi all,=3D3D20 I need password for account with select dictionary privileges - client is=3D3D =3D3D20 not too cooperative.=3D3D20
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -- He has showed you, O man, what is good. And what does=20 the LORD require of you? To do justice and to love mercy=20 and to walk humbly with your God.=20 Micah 6:8
-- http://www.freelists.org/webpage/oracle-l
This electronic message transmission is a PRIVATE communication which = contains information which may be confidential or privileged. The information is = intended=20 to be for the use of the individual or entity named above. If you are = not the=20 intended recipient, please be aware that any disclosure, copying, = distribution=20 or use of the contents of this information is prohibited. Please notify = the sender of the delivery error by replying to this message, or notify us = by telephone (877-633-2436, ext. 0), and then delete it from your system.
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -- He has showed you, O man, what is good. And what does=20 the LORD require of you? To do justice and to love mercy=20 and to walk humbly with your God.=20 Micah 6:8
This electronic message transmission is a PRIVATE communication which = contains information which may be confidential or privileged. The information is = intended=20 to be for the use of the individual or entity named above. If you are = not the=20 intended recipient, please be aware that any disclosure, copying, = distribution=20 or use of the contents of this information is prohibited. Please notify = the sender of the delivery error by replying to this message, or notify us = by telephone (877-633-2436, ext. 0), and then delete it from your system.
