> The potential for malicious damage comes where U2 *does* have

permissions

> to other objects, of course. I don't know of any way that you can

protect

> the databases from "the enemy within".

There are a lot more potential for damage then given credit here. A
malicious user can create and fill tables to exhaust system resources
such as disk space, hit internal implementation limits such as records
per table, run highly CPU intensive queries, create long running
transactions that inhibit garbage collection and effectively bring the
system to its knees. U2 will automatically have access to particular
system tables, and by directly running certain queries can cause data
corruption.

Ideally, security should allow the SYSDBA to disable all access to a
database for a given user.

In the real world, it is best to abstract the database queries from
any layer the user gets a choice in.

Adam