tag:blogger.com,1999:blog-13000143.post3681523967924245501..comments2023-11-05T00:48:20.985-07:00Comments on Radio Free Tooting: Don't only CONNECTAPChttp://www.blogger.com/profile/18348719053445885097noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-13000143.post-37579049703441984032007-07-11T11:19:00.000-07:002007-07-11T11:19:00.000-07:00Yeah this is just in 10gR2, as I blogged about ear...Yeah this is just in 10gR2, as <A HREF="http://ora.seiler.us/2007/02/role-showdown-connect-vs-resource.html" REL="nofollow">I blogged about earlier</A>. I wasn't aware that CONNECT as deprecated though, thanks for the tip!Donhttps://www.blogger.com/profile/14419852179273345993noreply@blogger.comtag:blogger.com,1999:blog-13000143.post-20959369535267234742007-07-11T03:04:00.000-07:002007-07-11T03:04:00.000-07:00Hi All,I think the key message is that CONNECT was...Hi All,<BR/><BR/>I think the key message is that CONNECT was not intended for use originally buit was used extensively by Oracle and customers. I audit a lot of databases and everyone uses it. <BR/><BR/>The key principal to use is the "least privilege" principal. Its pointless to discuss grants via roles, direct, ddl, dml etc. each site is different and each site therefore requires privileges and grants designing for that site.<BR/><BR/>cheers<BR/><BR/>PeteAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13000143.post-28173060045388123562007-07-11T01:09:00.000-07:002007-07-11T01:09:00.000-07:00>> you surely mean in 10gR2 ;-)Thanks for the pre...>> you surely mean in 10gR2 ;-)<BR/><BR/>Thanks for the precision Laurent. As I'm still on lame old 9i I am not up to speed with when things were introduced in 10g.<BR/><BR/>Cheers, APCAPChttps://www.blogger.com/profile/18348719053445885097noreply@blogger.comtag:blogger.com,1999:blog-13000143.post-39657633903944200222007-07-11T01:08:00.000-07:002007-07-11T01:08:00.000-07:00>> Generally DDL privileges shouldn't>> need to be...>> Generally DDL privileges shouldn't<BR/>>> need to be used in stored procedures <BR/><BR/>It's the "generally" bit. I agree that DDL is not the norm in application programs. However, sometimes it is necessary. <BR/><BR/>Also developers need to write programs which are not part of a proper application; for instance a "test data cleardown" routine which drives off the ALL_TABLES view and generates TRUNCATE table statements for a schema (or schemas). Now yes I could spool out the results to a script and then run that in SQL*Plus, but using EXECUTE IMMEDIATE in a PL/SQL loop is so much less pfaffing about. Also consider tools like UTLPLSQL, which works by building tables on the fly.<BR/><BR/>Of course, developers are only allowed to do such stuff in the development DB. And I work in an environment where everybody has their own instance, so the risks are minimal. But with a different setup you may want to play by different rules. Especially if you don't trust your developers. <BR/><BR/>Cheers, APCAPChttps://www.blogger.com/profile/18348719053445885097noreply@blogger.comtag:blogger.com,1999:blog-13000143.post-44837719184211013682007-07-10T15:50:00.000-07:002007-07-10T15:50:00.000-07:00"Also, developers ought to have the privileges gra..."Also, developers ought to have the privileges granted to their accounts directly, so that they can build stored procedures on those privileges."<BR/>I don't have a problem with this for DML privileges (including EXECUTE), even ALTER SESSION. Generally DDL privileges shouldn't need to be used in stored procedures so a role based privilege should be fine.SydOraclehttps://www.blogger.com/profile/08828771074492585943noreply@blogger.comtag:blogger.com,1999:blog-13000143.post-64384086512031041382007-07-10T09:40:00.000-07:002007-07-10T09:40:00.000-07:00you surely mean in 10gR2 ;-)you surely mean in <A HREF="http://download.oracle.com/docs/cd/B19306_01/readmes.102/b14233/toc.htm#sthref27" REL="nofollow">10gR2</A> ;-)Anonymousnoreply@blogger.com