Good morning,
A few days ago there was a debate about the issue with invoker/definer-stuff.
I wrote to Mary Ann Davidson, who's responsible for Oracle security things
(she's the female guru you may have seen on the big posters at Oracle World
both in Copenhagen and San Francisco). So I forwarded the thread to her,
and here's the response from Paul Needham of her team (who by the way was
impressed with the knowledge level of the list contributors).
Mogens
The invoker-rights functionality was developed to allow code to be shared across multiple schemas. The definer-rights functionality sometimes required that the same stored procedure exist in multiple locations, creating maintenance headaches. The invoker-rights model solves this problem.
Most applications are designed such that the data and application program units reside in the same schema. In this situation the issue of privilege propagation usually isn't a problem. In situations where a program unit depends on an external program unit in a different schema, the owner of the external program unit would need to give the other user execute privilege explicitly.
Oracle security product management continually reviews enhancement requests
submitted by customers. To date there hasn't been broad demand for new security
in this area beyond what has been provided via the introduction of the invoker-rights
facility. Oracle9i introduced the secure application role and global application
context which are designed for proxy architectures. The secure application
role restricts enabling a role to a set role command in a named security
package. The security package can perform it's own security checks prior
to invoking the set role command.
