||Oracle Tips by Burleson
Chapter 2 Introducti
to Oracle Security
Let's ponder over a question here. Sue is driving
a car owned by Mr. Smith, and he has given her permission to do so.
Should she carry her own driver's license?
While we deliberate over the question, she
zooms off to the drug store; but in her excitement, she races the
car at 80 miles per hour! And within no time, there is a police
officer right behind her with flashing lights.
When Sue gets the ticket for speeding, who do
you think the ticket should go to - her or Mr. Smith? You might
argue - why Mr. Smith? He was not driving, Sue was. Therefore, she
should receive the ticket, and she did. What would have happened if
she had told the officer that Mr. Smith owns the car, and he should
be responsible for the speeding violation? The officer probably
would have laughed.
This is an important concept to understand.
Although Mr. Smith owns the means of delivery, and he gives Sue
permission to operate the means of delivery, Sue carries out the
operation and is responsible for actions like speeding. In a
database application, a similar question also arises. Security
procedures might dictate that all applications in the form of stored
procedures and packages be owned by a secure user, and that execute
permissions only be granted to the other users who might need them.
However, the stored procedure should update the tables only when the
application users have privileges to update them.
Perhaps an example will
help illustrate the concept better. Take the example of the
procedure update_claim_amount above, but assume it is owned by
The above text is
an excerpt from:
Oracle Privacy Security Auditing
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only
and has an
immediate download of working security scripts: