Snappy title eh?
So as you saw from my previous post we finally got to 13c and everything looked pretty good from my point of view - and by mine i mean doing everything as sysman...
So what happens when you release it to real users who have 'proper' logins.....?
Well this is what happens - they can't access any of the damn menus any more the security s totally changed!
For example it seems most of the menu options or groups of menu options can be individually granted.
Here is a screenshot to show what i mean - this is from the security drop down of a database homepage where normal users have very little rights compared to 12c
In previous versions (unless i massively missed something here - which is always possible) this wasn't controllable. Now the control is very granular - incredibly so.
In fact for me it's to granular - i just want to give all the developers/testers/support guys the same access they had before - what they can do the the target database is anyway determined by the user privileges of the database login they choose to use.
So how do i get back to the 12c situation where all users can see all the db menus?
Well there is probably more than one way to do this but the method below is one way - maybe not prefect for everyone but it works for me.
Step 1
create a dynamic group that contains all the databases you are interested in - in the simplest case this is all databases - here is the definition for that
Step 2
Create a role that assigns the two new privileges "database application DBA" and "database application developer" (as well as view - but that may be unnecessary) to that ALL_DATABASES group - see summary screenshot of that role below
Step 3
Grant that role to all your users and you are back at 12c access - you could actually just edit the definition of the public em role to give the grant and then every user will pick up that privilege anyway - but that may be a grant too far for most people......
Now i'm not advocating the above - but it works for us.
We could spend a lot of time doing this properly but that's time we don't have...... I don't feel this is any less secure - if the database account they connect with can;t do anything then they can;t do anything via the screens even if the menu option is there.
Just be wary of this change before you take the plunge to 13c
Great post, thank you
ReplyDelete