I know it's not considered secure to grant GRANT ANY ROLE privilege to other users apart from admins. But what if the user is expired & locked? In particular, I see these 2 users having this privilege: SPATIAL_CSW_ADMIN_USR and SPATIAL_WFS_ADMIN_USR.
Asked
Active
Viewed 1,191 times
1
ZygD
- 247
- 1
- 2
- 10
-
1That depends on what purpose these locked&expired accounts fulfill and who has the privileges to unlock and extend these accounts. – Philipp May 29 '15 at 09:10
1 Answers
2
Having such a setup is non-sence, unless this user owns some PL/SQL code. By default in Oracle all the code is invoked with priviledges of the owner. I think you should audit user's stored PL/SQL code to answer your question.
Oracle's security model is not too handy. It is usually everything or nothing. So it is common that such a user (which can theoretically grant DBA role to anybody) ows a stored procedure which contains a white-list of "safe" roles. And this procedure grants these roles when executed. Some other user has right to execute this procedure. So if you want to have some "grained" security you have to implement it by your own.
ibre5041
- 131
- 2