Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Another 11gr2 oddity...
73 views
Skip to first unread message
Noons
Jun 26, 2012, 8:35:12 PM6/26/12
to
11.2.0.3 upgraded from 10.2.0.3 via standard dbua:
SQL> select * from dba_sys_privs
where grantee = 'RESOURCE'; 2
GRANTEE
PRIVILEGE ADM
------------------------------
---------------------------------------- ---
RESOURCE CREATE
TRIGGER NO
RESOURCE CREATE
SEQUENCE NO
RESOURCE CREATE
CLUSTER NO
RESOURCE CREATE
TYPE NO
RESOURCE CREATE
PROCEDURE NO
RESOURCE CREATE
TABLE NO
RESOURCE CREATE
INDEXTYPE NO
RESOURCE CREATE
OPERATOR NO
Original 10.2.0.3:
SQL> select * from dba_sys_privs
where grantee = 'RESOURCE'; 2
GRANTEE
PRIVILEGE ADM
------------------------------
---------------------------------------- ---
RESOURCE CREATE
VIEW NO
RESOURCE CREATE
TRIGGER NO
RESOURCE CREATE
SEQUENCE NO
RESOURCE CREATE
CLUSTER NO
RESOURCE CREATE
TYPE NO
RESOURCE CREATE
PROCEDURE NO
RESOURCE CREATE
TABLE NO
RESOURCE CREATE
INDEXTYPE NO
RESOURCE CREATE
OPERATOR NO
Notice anything missing in the 11.2.0.3 resource role after the
upgrade?
Ah yes, it's a "feature". Like, the size of a bus?
(...patience, Nuno, patience...)
SQL> select * from dba_sys_privs
where grantee = 'RESOURCE'; 2
GRANTEE
PRIVILEGE ADM
------------------------------
---------------------------------------- ---
RESOURCE CREATE
TRIGGER NO
RESOURCE CREATE
SEQUENCE NO
RESOURCE CREATE
CLUSTER NO
RESOURCE CREATE
TYPE NO
RESOURCE CREATE
PROCEDURE NO
RESOURCE CREATE
TABLE NO
RESOURCE CREATE
INDEXTYPE NO
RESOURCE CREATE
OPERATOR NO
Original 10.2.0.3:
SQL> select * from dba_sys_privs
where grantee = 'RESOURCE'; 2
GRANTEE
PRIVILEGE ADM
------------------------------
---------------------------------------- ---
RESOURCE CREATE
VIEW NO
RESOURCE CREATE
TRIGGER NO
RESOURCE CREATE
SEQUENCE NO
RESOURCE CREATE
CLUSTER NO
RESOURCE CREATE
TYPE NO
RESOURCE CREATE
PROCEDURE NO
RESOURCE CREATE
TABLE NO
RESOURCE CREATE
INDEXTYPE NO
RESOURCE CREATE
OPERATOR NO
Notice anything missing in the 11.2.0.3 resource role after the
upgrade?
Ah yes, it's a "feature". Like, the size of a bus?
(...patience, Nuno, patience...)
Matthias Hoys
Jun 27, 2012, 7:07:24 AM6/27/12
to
Matthias
ddf
Jun 27, 2012, 11:59:27 AM6/27/12
to
>
> - Show quoted text -
For a long time now Oracle has hinted that RESOURCE was not the role
to be granting to people and that explicit grants or other roles
should be used. I suppose this is one way to prod people into
creating their own general-purpose roles for basic privileges.
David Fitzjarrell
Mark D Powell
Jun 27, 2012, 4:17:03 PM6/27/12
to
IMHO -- Mark D Powell --
John Hurley
Jun 27, 2012, 8:09:29 PM6/27/12
to
David:
# For a long time now Oracle has hinted that RESOURCE was not the role
surprised when they finally do something though.
# I suppose this is one way to prod people into creating their own
connecting into the database only be granted roles that do not depend
on any of the oracle created roles.
One could and probably should also contend that DBA and SYSDBA roles
are so unique that granting access to those roles is an exception.
# For a long time now Oracle has hinted that RESOURCE was not the role
to be granting to people and that explicit grants or other roles
should be used.
Bingo ... long time back ... still does not stop one from being
should be used.
surprised when they finally do something though.
# I suppose this is one way to prod people into creating their own
general-purpose roles for basic privileges.
One could and probably should hypothesize that all user sessions
connecting into the database only be granted roles that do not depend
on any of the oracle created roles.
One could and probably should also contend that DBA and SYSDBA roles
are so unique that granting access to those roles is an exception.
Mladen Gogala
Jun 27, 2012, 11:17:55 PM6/27/12
to
On Tue, 26 Jun 2012 17:35:12 -0700, Noons wrote:
> Notice anything missing in the 11.2.0.3 resource role after the upgrade?
Who needs views? Views are sooooo 20-th century, we live in the 21st
> Notice anything missing in the 11.2.0.3 resource role after the upgrade?
century. Real men use computed virtual columns, not views.
--
http://mgogala.byethost5.com
Noons
Jun 28, 2012, 8:06:48 AM6/28/12
to
ddf wrote,on my timestamp of 28/06/2012 1:59 AM:
>
> For a long time now Oracle has hinted that RESOURCE was not the role
> to be granting to people and that explicit grants or other roles
> should be used. I suppose this is one way to prod people into
> creating their own general-purpose roles for basic privileges.
Sure. But last time I looked, it's listed as a valid role in various of their
>
> For a long time now Oracle has hinted that RESOURCE was not the role
> to be granting to people and that explicit grants or other roles
> should be used. I suppose this is one way to prod people into
> creating their own general-purpose roles for basic privileges.
own manuals. I don't give a hoot about "hints" until they make a show in the
doco, black on white. Or else we might all start carrying weapons?
This is just SLACK QA, quite frankly. And don't anyone please mention "doco
error": that one is a classic...
Noons
Jun 28, 2012, 8:07:48 AM6/28/12
to
Mladen Gogala wrote,on my timestamp of 28/06/2012 1:17 PM:
> On Tue, 26 Jun 2012 17:35:12 -0700, Noons wrote:
>
>
>> Notice anything missing in the 11.2.0.3 resource role after the upgrade?
>
> Who needs views? Views are sooooo 20-th century, we live in the 21st
> century. Real men use computed virtual columns, not views.
Hehehe! Good one. Dang, I forgot!
> On Tue, 26 Jun 2012 17:35:12 -0700, Noons wrote:
>
>
>> Notice anything missing in the 11.2.0.3 resource role after the upgrade?
>
> Who needs views? Views are sooooo 20-th century, we live in the 21st
> century. Real men use computed virtual columns, not views.
Noons
Jun 28, 2012, 8:10:23 AM6/28/12
to
Mark D Powell wrote,on my timestamp of 28/06/2012 6:17 AM:
>
> I wish Oracle had treated the role the same way connect was treated, i.e., remove all privileges except create session.
Why mangle it then? Either be done with it, remove it from doco, and make an
>
> I wish Oracle had treated the role the same way connect was treated, i.e., remove all privileges except create session.
OFFICIAL note that it MUST not be used, or else stop the bull that it's somehow
the dba's fault that Oracle don't know how to handle their own default security.
0 new messages