Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Oracle's stance on user access rights list
        
(Message started by: Pete Finnigan on Mar 23^rd, 2006, 2:07pm)

Title: Oracle's stance on user access rights list
Post by Pete Finnigan on Mar 23^rd, 2006, 2:07pm

I have been working in security for 17 years, and one of the basic requirements has been the ability to list all users, user groups, and user access rights for review. The regulators, such as the Federal Reserve Bank, request this information (a 'system generated list') every time they review our systems.

In my pursuit of such a list in Oracle Portal, I recently opened up an SR in Metalink. I was referred to a procedure in OID that is given by Oracle but is not supported:

Article 277777.1 "How to list all OID groups that a user is a member of using the programmatic interfaces "

We installed this and gave it a try. To make a long story short, it has serious shortcomings.

I wrote back to Oracle, requesting the "ability of entering a group and seeing the users that
are members."

This was the response I got:

"Means of entering a group and seeing the users that are members of that group, is in essence a security risk. It is not , therefore , provided."

Is this really Oracle's stance, as far as any of you have experienced? I find it hard to swallow that the security by obscurity realized is worth the tradeoff of never being able to see who can access what at a given time.

Title: Re: Oracle's stance on user access rights list
Post by Pete Finnigan on May 3^rd, 2006, 11:44pm

It sounds like a dodge to me. Are they saying that NO ONE AT ALL, even the most highly privileged accounts, are allowed to see group membership? If the answer is 'yes', it is a dodge; if 'no', then they should provide the procedure that the highly-privileged accounts would use.