Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Ravikanth.

Asked: December 01, 2014 - 11:49 pm UTC

Last updated: December 02, 2014 - 6:52 pm UTC

Version: 11GR2

Viewed 1000+ times

You Asked

Hi Tom,

We are product company. One of our product extracts data from customers environment and populates a relational schema, say Schema_A. We also create and data warehouse (star schema) on top of Schema_A in a separate schema say Schema_B.

We are planning to combine Schema_A and Schema_B into one single schema where both relational and start schema co-exists. When a customer installs the product they have one single schema instead of two.

Could you please let us know pros and cons of this architecture? We are on oracle 11gR2 on 64 bit Redhat Linux.

Could we empirically say one way or the other about this architecture?


Thanks!

and Tom said...

I would strongly recommend multiple schemas - maybe more than two - for security and manageability purposes. The main one being security.

If everything is in a single schema, it becomes much harder to lock things down. For example, if you put an application audit trail into your application, I would suggest a private schema JUST FOR the audit trail. Your OLTP schema would be granted INSERT (but nothing else), your admin schema would be granted SELECT and maybe nothing else. A third schema might have a privileged routine that could read/write the audit trail (to purge old information for example). But you might have multiple schemas just to live with an audit trail.

Even more so with OLTP data and read only/read mostly data. It should definitely be segregated with just the minimum privileges granted to everyone.


In fact for your OLTP schema I would suggest at a minimum three schemas

schema1 - owns the tables

schema2 - owns views and code that expose the tables, granted minimum privs on schema1

schema3 - granted minimum privs on schema2. This is what your application logs in as, assuming three tier application server implementation


In that fashion, if someone 'hacks' into schema3 - there isn't much they can do. they cannot drop the application tables for example. they cannot do anything except run the application.

Using multiple schemas is a positive thing, use them for security and managing complex sets of objects.

Rating

  (4 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

OLAP and OLTP in same schema

Ravikanth Beevanapalli, December 02, 2014 - 5:55 pm UTC

Well, I kind of gave an explanation on the similar lines to my architecture team why I suggest to have multiple schema Vs single schema. But i am just a developer in my company, my opinion doesn't weigh much. But the only thing they say is 1) ease of maintenance, just opposite, no multiple users, no views,no synonyms, no user profiles to maintain etc 2) most of the big players like SAP has all their hundreds tables of different kind (OLTP/OLAP) in one monolithic schema.
Tom Kyte
December 02, 2014 - 6:52 pm UTC

1) no security - very easy.

2) and because they did it that way and made that decision 20 years ago, it must be right in the 21st century and they'd do it that way again for sure.... hmmmm


Yes, having multiple schemas makes you THINK and DESIGN more, that is sort of the idea here. It lets you set up multiple layers of defense.

The goal is not "make it easy for the developer", the goal is "build secure, robust systems". Easy for the developer in this case leads to security holes - holes that could easily be closed. No one said software development was going to be "easy"


You know what would be even easier? Just grant DBA to the application schema. Now it is really easy, I can do anything I want.

But wait, we don't do that (we *used* to, seriously - we *used* to and there probably are still 3rd party products that do)



A reader, December 04, 2014 - 7:21 pm UTC

I developed an application following Tom's rule explained in here

My thought

Karthick, December 09, 2014 - 11:40 am UTC

When we build a house we divide it into different areas. To mention a few…

1. Living room
2. Bed room
3. Bath room
4. Kitchen

What if we don’t have any of this and have one big room. You end up spending less money and time on the construction.

Sit back, put your entire family in a house which does not have any of these partitions and then write down the consequences.

The consequences could be alarming.

follow up question

A reader, August 11, 2015 - 9:03 pm UTC

Ok. I lost the battle with my "architecture" experts despite showing this post. I recommended to go with separate tablespaces for OLTP and OLAP. But they want to combine them into once monolithic tablespace. What could be downside of using same tablespace for both OLTP and OLAP?
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.