Subject Grants/DB Ownership & User admin
Author Alan McDonald
I think this is all wrong and I hope the next version takes these comments
into consideration.
For a long time I have created DBs with non-SYSDBA ownership.
User must be created by SYSDBA only.
Grants to DB objects and roles can be created by both/either.
Grants must be revoked ONLY by the GRANTEE
To have an application offer users (designated admins) the ability to create
users, SYSDBA must login temporarily (OR have SYSDBA credentials embedded
somehow in the app).
To create a user AND issue grants, the SYSDBA and DB Owner must separately
issue the user, grant statements separately. Otherwise the DBOwner
credential cannot revoke the grants. If a user created by SYSDBA is deletd
by SYSDBA, the grant remains in the DB unless the SYSDBA also revokes. So if
the DB is moved to another server, the SYSDBA must revoke grants to users
which do not exist on the other server.
This is awkward and messy to say the least.
Please someone tell me this is all in hand for future versions.
I know the API is going to be the only way to add users, but please lets
make a rational way to have dbowners grant and revoke without resorting to
SYSDBA credentials AND DBOWNER credentials to get all these jobs done