Holger Baer wrote:

> Well finally.

My feeling exactly.

> Developers will have to learn what roles are about. Are there
> any changes to resource as well or are the removed priveleges silently
> added to the resource role?

To the best of my knoweldge no change was made to RESOURCE although I
made plea for that change in 10gR3 should there be one. And if not 10gR3
in 11. The security risk created by these three default roles exceeds
any possible value they might contain.

> You know, people insist in grant connect, resource to myuser, and the
> Oracle Documentation sets some really bad examples (why the hell should
> the RMAN catalog owner get resource and connect on top of
> recovery_catalog_owner, as the
> 10g RMAN Reference suggests?).
>
> But still good to know.
>
> Holger

I am hopeful that Sarbanes-Oxley, HIPAA, and the obvious threat of laws
and litigation related to data theft will lead Oracle to tighten up some
of the default install practices.

With 10g they finally got around to killing CHANGE_ON_INSTALL. I would
very much like to see these roles pounded into dust too. And then the
next item on my list will be a change so that when Oracle installs the
default will be resource_limit = TRUE and the default profile will
include the VERIFY_FUNCTION function as well as limitations on password
expiration, password reuse, etc.

Oracle is already more secure than its competition out of the box. That
does not mean best practices shouldn't be the default.
--
Daniel A. Morgan
http://www.psoug.org
damorgan@x.washington.edu
(replace x with u to respond)