Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> The CONNECT role has finally been made safe
        
(Message started by: Pete Finnigan on Aug 6th, 2005, 11:10pm)
Title: The CONNECT role has finally been made safe
Post by Pete Finnigan on Aug 6th, 2005, 11:10pm
I saw last night in Nialls blog that the CONNECT role has finally been made safe in 10gR2 by having all the extra privileges removed as it now only has CREATE SESSION privilege.

I have been advocating change to this role for years along with many others. I would guess that this change weill break many applications as most Oracle databases I see a large percentage of users have been granted this role. I always advise revoking it and creating a new role with just CREATE SESSION or granting just CREATE SESSION directly.

What does everyone else feel about this change, welcome with open arms or is the old workaround sufficient or will you have breaking applications?

cheers

Pete
Title: Re: The CONNECT role has finally been made safe
Post by Pete Finnigan on Nov 2nd, 2005, 5:39pm
Pete

I welcome the change.  One can only hope that users will adequately test applications before production upgrade to 10g.

Oracle should stop re-creating and supporting the roles CONNECT, RESOURCE, DBA and others.  That's the best (and sometimes the only) way to encourage everyone to think about least privilege.

Regards

George
Title: Re: The CONNECT role has finally been made safe
Post by Pete Finnigan on Nov 9th, 2005, 10:28am
I think the term "Finally!!!" comes to mind.

I am afraid like all security issues though the changes only come into affect when a company can see that it is affecting the commercial value and reputation of the company

It is ironic that Oracle have finally stood up and accepted that there are a number of issues publicly.

Last weeks UK conference finally had mainstream sessions on security, most supplied by Oracle staff.

As both Peter and I have presented papers in the past there in small back rooms, which where often only begrudglingly accepted by UKOUG and Oracle, it is good to see that the issues are being discussed more openly now.

Regards

Kevin Else
Title: Re: The CONNECT role has finally been made safe
Post by Pete Finnigan on Nov 9th, 2005, 12:23pm
Hi Kev,

I agree with your sentiments. I was at UKOUG last week as a volunteer and also attended quite a few presentations. There were some big ones in reasonably sized rooms but no specific security talks in the main halls. Also you are correct Kev, most of the security talks were done by Oracle personel.

This will change for the better. I had conversations with a few UKOUG people who were keen to have me talk there next year. I hope that we can get some security specific talks there and also in the main halls. I talked to Dan Morgan who told me that the PSOUG conference next year will have a security theme and also I am going to be talking at the DBMS SIG in December for Graham Gilbert and also at the Unix SIG in January for Dave Kurtz. I noticed today that there is in fact another security talk at the DBMS SIG.

I think times are changng and security will get much more focus in coming months and years.

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board