Thanks Mogen! Jared
On Wednesday 01 January 2003 21:03, Mogens Nørgaard wrote: > Good morning, > > A few days ago there was a debate about the issue with > invoker/definer-stuff. I wrote to Mary Ann Davidson, who's responsible > for Oracle security things (she's the female guru you may have seen on > the big posters at Oracle World both in Copenhagen and San Francisco). > So I forwarded the thread to her, and here's the response from Paul > Needham of her team (who by the way was impressed with the knowledge > level of the list contributors). > > Mogens > > ------------------------------------------------------------------------ > > The invoker-rights functionality was developed to allow code to be > shared across multiple schemas. The definer-rights functionality > sometimes required that the same stored procedure exist in multiple > locations, creating maintenance headaches. The invoker-rights model > solves this problem. > > Most applications are designed such that the data and application > program units reside in the same schema. In this situation the issue of > privilege propagation usually isn't a problem. In situations where a > program unit depends on an external program unit in a different schema, > the owner of the external program unit would need to give the other user > execute privilege explicitly. > > Oracle security product management continually reviews enhancement > requests submitted by customers. To date there hasn't been broad demand > for new security in this area beyond what has been provided via the > introduction of the invoker-rights facility. Oracle9i introduced the > secure application role and global application context which are > designed for proxy architectures. The secure application role restricts > enabling a role to a set role command in a named security package. The > security package can perform it's own security checks prior to invoking > the set role command. > > ------------------------------------------------------------------------ ---------------------------------------- Content-Type: text/html; charset="us-ascii"; name="Attachment: 1" Content-Transfer-Encoding: 7bit Content-Description: ---------------------------------------- -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).