Menu
▾
▴
Re: [Gusdev-gusdev] insufficient privileges on Core.Algorithm_SQ sequence
|
From: Michael S. <msa...@pc...> - 2004-07-16 19:03:50
|
Hi Juan, I'd be slightly careful with this approach to GUS permissions-- as you've pointed out, you've effectively made GUSrw a pseudo-dba, who may manipulate any table-- public or private-- in the entire instance. I believe this also includes Oracle schemas, which is probably a pretty significant security risk. Here at CBIL, we've eliminated the GUSrw and GUSdevReadOnly accounts, choosing to use a combination of individual accounts, and roles. In this fashion, we grant (using the grantPermissions script, or custom PL/SQL scripts) SELECT, INSERT, UPDATE, DELETE on all tables, views, materialized views, and sequences (as appropriate) in the GUS schemas. We also grant REFERENCES as appropriate. These grants are against the roles, the roles are then granted to the users. We have a GUS_R (gus read) role, and a gus write role. One word of note: There are certain privileges which cannot be granted via roles. --Mike On Jul 16, 2004, at 2:23 PM, Juan Perin wrote: >> --This is to grant permission to the users >> >> GRANT CREATE SESSION TO GUSrw; >> GRANT CREATE TABLE TO GUSrw; >> GRANT CREATE VIEW TO GUSrw; >> GRANT CREATE SEQUENCE TO GUSrw; >> GRANT CREATE TRIGGER TO GUSrw; >> GRANT CREATE SYNONYM TO GUSrw; >> GRANT SELECT ANY TABLE TO GUSrw; >> GRANT INSERT ANY TABLE TO GUSrw; >> GRANT UPDATE ANY TABLE TO GUSrw; >> GRANT DELETE ANY TABLE TO GUSrw; >> GRANT CREATE SESSION TO GUSdevReadOnly; >> GRANT SELECT ANY TABLE TO GUSdevReadOnly; >> GRANT SELECT ANY TABLE TO GUSdevReadOnly; >> -------------------------------------------------- > > To the above list, we had to add the line: > > GRANT SELECT ANY SEQUENCE TO GUSrw; > > After doing this, the "ga +meta --commit" command worked properly. > > Should this have been necessary? Are other people just making GUSrw > into a > DBA or something to get around this? > > Thanks, > Juan & Kevin > > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Gusdev-gusdev mailing list > Gus...@li... > https://lists.sourceforge.net/lists/listinfo/gusdev-gusdev |
