vendredi 27 février 2015

User can see Oracle tables via ODBC that her account does not have access to


We have a user whose Oracle account, according to ALL_TAB_PRIVS, has access to tables A, B, and C. However, when the user creates an ODBC and connects to Oracle via Microsoft Access (using her Oracle credentials in the ODBC), she can also view data from D, E, and F. We know that she isn't sharing someone else's credentials because we had her create a new ODBC and a new MS Access database, and the issue is still happening. One of our DBA's ran a query (I don't know which system views or tables) that shows her username as having used MSACCESS.EXE and odbcad32.exe to connect to Oracle, but nothing more specific than that.


This is worrisome. How is ODBC apparently bypassing Oracle security?


EDIT: To clarify, the tables in question are not in the user's schema. We keep many business tables in a particular schema S and then grant users access to just those tables in that schema. Consequently, most of the end users' schemas are empty. Our workflow generally goes like this: 1. User X requests access to tables on S schema. 2. Oracle account X is created on the server. 3. X is granted access to specific S tables.





Aucun commentaire:

Enregistrer un commentaire