||Oracle Tips by Burleson
Chapter 4 General Oracle Security
Oracle provides several roles that are built into
the database. Some of them are DBA, RESOURCE, and CONNECT. Most DBAs
use them to make their tasks easier and simpler, but each of them is
a security nightmare.
Let's examine RESOURCE. This is generally given
to schema owners. Did you know that it has UNLIMITED TABLESPACE
system privilege, making it able to create any table anywhere in the
database – including the SYSTEM tablespace? Obviously, this is not
what you want. You would want to restrict the tablespaces to
specific users only.
Similarly the role CONNECT, by default, has the
CREATE TABLE/SEQUENCE/SYNONYM and a few more options. The name
CONNECT somehow conveys the impression of the ability to connect
only, not anything else. As you can see, however, the ability is
much more than that. Another privilege, ALTER SESSION system
privilege, allows the grantee to issue sql_trace = TRUE in their
session. This can have far reaching consequences.
Therefore, it is not prudent to use built-in
roles. Rather, identify the privileges users will need, put them in
the appropriate roles which you have created, and use them to
If possible, try not to use the Oracle built-in
roles like RESOURCE and CONNECT. Create your own roles.
discussed this topic in the introduction. Although this is not used
much, object masquerading
The above text is
an excerpt from:
Oracle Privacy Security Auditing
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only
and has an
immediate download of working security scripts: