|
To explain why closed security policies are better protection than open
ones, let me give you an example. Let's suppose that my company has
determined that the Oracle listener will listen on port 1599 (a non-default
port) and that all database passwords will contain 8 letters followed by 2
numbers. If I publish this information on the Web, I now let any hacker know
exactly which port to point to and exactly how my database passwords are
composed. Do you want to give this information to a potential hacker? It's
better to safeguard this information within your company.
I'm no expert on Role-Based Access Control outside of the Oracle arena. So
I'll give you the information that I know and leave it at that. I'm not
convinced that unconstrainted upward inheritence is entirely a bad thing.
For instance, I might have a role called APPL_USER which is assigned to all
of my application users. This role lets the user perform read only, or
SELECT, operations on specific tables. Then I have a APPL_ADMIN role for
application administrators. This role lets the admins change the tables, and
it also inherits the APPL_USER role so that the admin can read the tables as
well. This is an easy way to transfer all of the rights of one role to
another. Unfortunately, the APPL_ADMIN role (which has been granted the
APPL_USER role) inherits *all* of the APPL_USER role's rights. You can't
give APPL_ADMIN just some of the rights granted to APPL_USER. It's an all or
nothing proposition. This may be too strong for your system. It may be better
to code specific rights to APPL_ADMIN and specific rights to APPL_USER. This
will separate the two functionalities.
For More Information
|
