mercredi 3 février 2016

cript

[80]We have an requirement to replicate/duplicate an e...... Ameen Ali
[82]Hello Michel, <i>Creating a user like another o...... Bruno Vroman

Subject: Script to extract available grants of a user and grant the
same to a new user.
Os info: Linux
Oracle info: 11.2.0.3
Message: We have an requirement to replicate/duplicate an existing
oracle called USERA and grant the permissions to a user called USERB.
The script/method should be able to extract all the existing grants of
USERA and grant all privileges (insert,delete,update,execute...) of his
objects(tables,views,procedures, packages, functions, db links ..etc)
to USERB.
At the end the USERB should be able to do what all USERA can do.
Pls. help....
Kind Regards


Subject: Re: Script to extract available grants of a user and grant the
same to a new user.
Message:
The simplest way is to download TOAD, it contains the command to do
this.
But, as a matter of security, create a user like another one should
NEVER exist. You SHOULD create a user using a specific profile (and so
script), clearly and in details specified in an application and
security document.
Creating a user like another one is a lazy approach of the subject and
laziness is the root of security breach.
Regards
Michel


Subject: Re: Script to extract available grants of a user and grant the
same to a new user.
Message: Hello Michel,
Creating a user like another one is a lazy approach of the subject and
laziness is the root of security breach.
Well, not only laziness... Believe it or not but we have an old
application for which there is no more real "application administor"
for several "generations": one day the last guy knowing the appli left
and another guy was "promoted <Mr. this_appli>" with a minimal
hand-over; later he left also and a third guy way inherited the appli,
then a fourth one... now it must be number 5 or 6 but anyway the guy is
doing something else and can't answer any question about the
application, like his predecessor and like the previous one...
But still the application is in use (no maintenance/new releases of
course). Well, this stated, I come to the point.
When we hire a new employee having to use the application, we DBAs have
to create an Oracle account and to grant application roles. But nobody
knows what these roles are, so it is useless to ask to the business
people "Which roles have to be granted?" Hence the "create new user"
procedure has been adapted and the "official way" is to request things
like "please create an account for X by providing the same profile as
the one of Y".
Then we look at the roles of Y and provide the same to X -indeed with
sometimes surprises because it happens that we are asked "please create
an account for X with same profile as Y and Z" and of course Y and Z
have different profiles and this confuses the requestor ;-)
((so this at least confirms that "copying a user" is not the most
secure thing to do))
Best regards,
Bruno Vroman.
P.S.: BTW Ameen, don't forget the roles in addition to the direct
grants




Visible links

Hidden links:

0 commentaires:

Enregistrer un commentaire

Nombre total de pages vues