Results 1 to 4 of 4

Thread: Rights errors

  1. #1
    Join Date
    Dec 2003
    Posts
    1,074

    Unanswered: Rights errors

    We're setting up developers in Oracle, and they'll be using TOAD to manage objects. We don't want to provide rights beyond that though.

    So far we've given them:
    GRANT ALTER ANY INDEX TO DEVELOPER_ROLE;
    GRANT ALTER ANY PROCEDURE TO DEVELOPER_ROLE;
    GRANT ALTER ANY SEQUENCE TO DEVELOPER_ROLE;
    GRANT ALTER ANY TABLE TO DEVELOPER_ROLE;
    GRANT ALTER ANY TRIGGER TO DEVELOPER_ROLE;

    GRANT CREATE ANY INDEX TO DEVELOPER_ROLE;
    GRANT CREATE ANY PROCEDURE TO DEVELOPER_ROLE;
    GRANT CREATE ANY SEQUENCE TO DEVELOPER_ROLE;
    GRANT CREATE ANY SYNONYM TO DEVELOPER_ROLE;
    GRANT CREATE ANY TABLE TO DEVELOPER_ROLE;
    GRANT CREATE ANY TRIGGER TO DEVELOPER_ROLE;
    GRANT CREATE ANY VIEW TO DEVELOPER_ROLE;

    GRANT DROP ANY INDEX TO DEVELOPER_ROLE;
    GRANT DROP ANY PROCEDURE TO DEVELOPER_ROLE;
    GRANT DROP ANY SEQUENCE TO DEVELOPER_ROLE;
    GRANT DROP ANY SYNONYM TO DEVELOPER_ROLE;
    GRANT DROP ANY TABLE TO DEVELOPER_ROLE;
    GRANT DROP ANY TRIGGER TO DEVELOPER_ROLE;
    GRANT DROP ANY VIEW TO DEVELOPER_ROLE;

    GRANT DELETE ANY TABLE TO DEVELOPER_ROLE;
    GRANT INSERT ANY TABLE TO DEVELOPER_ROLE;
    GRANT SELECT ANY TABLE TO DEVELOPER_ROLE;
    GRANT UPDATE ANY TABLE TO DEVELOPER_ROLE;

    GRANT ALTER SESSION TO DEVELOPER_ROLE;
    GRANT CREATE SESSION TO DEVELOPER_ROLE;
    GRANT DEBUG ANY PROCEDURE TO DEVELOPER_ROLE;


    When they try to perform certain actions, though, they receive error messages like the following:

    ORA-06512: at "SYS.DBMS_SYS_ERROR", line 86
    ORA-06512: at "SYS.DBMS_PIPE", line 86
    ORA-06512: at "SYS.DBMS_PBRPH", line 86
    ORA-06512: at "SYS.DBMS_DEBUG", line 86

    With the DBA role, these errors don't occur, but it supplies more rights than we want these developers to have. How can I find out how to provide adequate rights to steer our users around these "SYS.DBMS_%" errors?

    -Chuck

  2. #2
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    Grant Execute On Dbms_pipe To <user>;
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  3. #3
    Join Date
    Dec 2003
    Posts
    1,074
    I know that there's a privilege 'EXECUTE ANY PROCEDURE', but I've read that you shouldn't provide this. Was that just an overly cautious suggestion? I think it'd take awhile to otherwise find all procedures and grant the appropriate rights.

    -cf

  4. #4
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    >I think it'd take awhile to otherwise find all procedures and grant the appropriate rights.

    With a Small Matter Of Programming (SMOP) it could be 100% automated.
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •