New object rights for enhanced security [CORE2884] #3268
Submitted by: Claudio Valderrama C. (robocop)
The core engine needs to have syntax (GRANT, REVOKE) to apply security to generators, charsets, collations, domains, functions and exceptions.
EXECUTE permission for functions, USAGE permission for everything else. The SQL spec defines USAGE for domains and sequences.
It should be possible to grant any non-owner permissions to ALTER or DROP a particular object. Also, there should be a CREATE privilege allowing a granted user to create particular object types. It applies to all metadata objects, not only the new ones.
The text was updated successfully, but these errors were encountered:
Commented by: @reevespaul
The release notes say that generators and exceptions must now be granted USAGE to all users other than SYSDBA and the db owner.
I can understand doing this for generators but I don't understand this at all for exceptions. Surely USAGE should be automatically granted to the procedure or table/trigger that will fire the exception ? ie, if the user has the authority to execute the procedure it should have an implicit usage granted.
What is the point of throwing this sort of error:
no permission for USAGE access to EXCEPTION ....
instead of the real error?