Hello,
i'd like a suggestion about the use case below
We have a database with 2 schemas, for the schemas 1 and 2 every objects are full granted
grant all on "object_name" to public
Each users have default role
"Resource","Connect"
.
As you can imagine, the security is done by the apps not the database.
We are planing to add an extra schema, this schema will only have BI tables.
I could set a role and add those tables in the role but unfortunatly it seems that it's not possible to connect with a selected role.
What i'd like to do is :
when the user log to access the database through the application he can access the whole database
when the user log for the BI he can only see the objects in the BI's schema
What could you suggest ?
Thanks
I advise you NOT to try this.
First up, granting all doesn't give just select/insert/update/delete. It also includes:
create table t (
c1 int
);
grant all on t to public;
select privilege
from dba_tab_privs
where grantee = 'PUBLIC'
and table_name = 'T';
PRIVILEGE
ALTER
DELETE
INDEX
INSERT
SELECT
UPDATE
REFERENCES
READ
ON COMMIT REFRESH
QUERY REWRITE
DEBUG
FLASHBACK
Yikes!
Secondly I'm not aware of a way to disable public access for a specific user. Which makes it hard to meet request!
Remember, when it comes to security, follow the Principle of Least Privilege.
Only grant people access to what they specifically need. NOT everything. "Just in case".
If you need a "god" user that can see every table, you can give it:
grant select any table to u;
But give this and any other "any" privileges sparingly.
Otherwise you're making it much easier for hackers to get at your data.