A couple of other reasons for this approach:

When you create a DAD in Oracle Application Server, you can choose to store
the password in the config file.  On version 3.02 it is in unencrypted form
and is optional.  On 4.x it's encrypted and mandatory (unless you cheat and
remove the password entry once you create the DAD).  This permits you to
change the password on the schema owner without having to change your DAD,
especially important if your destination database is not owned by you!  We
normally define a schema and a secondary account like data and data_pub.  We
give data_pub all of the data manipulation rights to the data schema.  Very
safe.

If you let others create database links to your database it is nice to avoid
giving them the password to your schema.  Since you can see the password
unencrypted on their end after the database link is created this is
especially dangerous.

I would love to see this become standard practice.  Once something goes into
production there should not be that much DDL affecting the original schema
anyway.  We generally create all of the packages in the original schema and
grant execute to the public schema.

Hope this helps.

--Michael

-----Original Message-----
Sent: Thursday, July 05, 2001 10:06 AM
To: Multiple recipients of list ORACLE-L


Stéphane,

    Your not alone.  I like having one schema that owns all of the objects
and a
second or more that manipulate the data therein.  The reason is that many
times
the passwords for the other user accounts get hard coded into software
making
them almost impossible to change.  This way if the person who was
maintaining
the application leaves you can change the password there to do maintenance
without breaking everything.  Also if you do get a hacker in, it's a lot
harder
to have to delete everything vs drop a table.

Dick Goulet

____________________Reply Separator____________________
Author: =?iso-8859-1?q?paquette=20stephane?= <[EMAIL PROTECTED]>
Date:       7/5/2001 2:40 AM

Hi all,

I'm a fan of having the processing done by a user
different than the owner of the data. 
Am I alone ?

For example, we're on a datawarehouse system where the
data owner is DWH. The etl tool repository owner is
TOOL_POWERMART and the reporting tool repository owner
is TOOL_BOWEBI. The etl processing is done by user
DWH_PM_TRTMNT and the reporting processing is done by
user DWH_BO_TRTMNT.

This way, nobody is connecting as the data's owner.
The developpers and Informatica (Powermart) consultant
would prefer working directly as DWH.

What do you think ?



=====
Stéphane Paquette
DBA Oracle, consultant entrepôt de données
Oracle DBA, datawarehouse consultant
[EMAIL PROTECTED]

___________________________________________________________
Do You Yahoo!? -- Pour faire vos courses sur le Net, 
Yahoo! Shopping : http://fr.shopping.yahoo.com
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: =?iso-8859-1?q?paquette=20stephane?=
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jenkins, Michael
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Reply via email to