1 Reply Latest reply: Jan 23, 2013 6:57 AM by 986661 RSS

    Something to throw in the suggestion box re: GRANT ALTER ANY TABLE

      We recently implemented a Change Data Capture product, and one of the things that made me quite uncomfortable is granting ALTER ANY TABLE to the service account that connects from the CDC tool.

      And I think as Data Warehouses begin to use this method, Oracle should consider making that particular GRANT a bit more granular.

      How about "GRANT ALTER ANY TABLE <aspect> to <schema>" where <aspect> could be "ALL", "LOGGING","STORAGE",'CONSTRAINTS",<more?>, where the system priv now only allows the user to alter that aspect of the table definition, rather than allowing that user to alter anything about the table. Turning on or off supplemental logging has nothing to do with changing (adding, DELETING) columns from the table, and yet I have to grant that ability to to service user in order to allow them to change supplemental logging for a given table.

      Yes, I know I can retain control of that for myself, turning that on and off for whatever tables the Data Warehous team decides to start or stop pulling data from. But I really don't think a lot of DBAs will want to be doing ALTER TABLE every time someone wants to collect different data for analysis.

      So, can we throw that one into the suggestion box? (The other options were just ones I thought might be useful in various circumstances.)