Toad 17.0.3 (latest version)
Whenever i login through Toad, there is one command run:
This makes some auditing entry and later have to explain why is this happening (quering user$ table, not to mention haveto defend Toad as serious tool)
Can you somehow change or remove this query?
Toad queries the SYS.USER$ table in various windows and features. The query you've shown is executed at connection time to verify the connected schema has privileges to that table. We set a flag indicating whether or not you have access and this flag is used by the features relying on the USER$ table to act accordingly. John is out of the office today and he can speak more to this when he returns.
There is no option to remove that, but we do occasionally get people asking about it.
As Mike said, we run that to see if you have privs on SYS.USER$. In some cases, we can use that to run faster queries with SYS-owned tables than we could by using data dictionary views.
For what it's worth, we don't execute that query. We just do an OCI describe on it, which parses but does not execute. And, if you look at the SQL, you'll see that it doesn't select any rows because of "where 0=1", but even if it DID select any rows, we would be selecting only NULL values and not any actual data.
If you don't grant SELECT or READ on that to any user, then what are you afraid of? Don't you trust Oracle security?
I cime all the time on azditing and jave to appologize for this. Security People do note understandball what you wrote. Thx just ask...why ste you quering usred table.
Damir (from mobile)
Sorry crazy Google translator...
Ok once again.
My problem is that any user$ table access is audited and I have to explain why.
This came from security people and their rules. They do not understand all you said (and I said also) and they do not need to do (understand!) as they are "security-the biggest power in the company" ...
they just want me to stop doing this....no more no less->no explanation!
And now I am on the edge of their patient.
Thanks for the clarification.
Security people are frustrating. Insisting that something which isn't a problem is "fixed".
yes, but i can obey or leave the job...that's the way it is.
Well there is nothing you can do to prevent it in Toad 17.0 or prior. Will a change to 17.1 satisfy them?
this would be great .... just select some other table$ but not users.
Well, the test isn't "see if user can select from any sys-owned table", it's "see if user can select from SYS.USER$". So if I implement any change it will be to either:
- don't check at all and assume that user does not have privileges to select from these tables
- check by looking in DBA_TAB_PRIVS (but to do so properly the query would be somewhat complicated due to the fact that it could be granted through a role). This could be slow for some users.
So basically, the auditors are asking us to punish all users with slower performance because they refuse to try to understand the meaning of a query.
I do not know how many security people have you met in your career, but I have seen a little less than a dozen
All of them are not qualified for that job, with very narrow knowledge and the only way to protect them is to stay rigid and not discuss...this is their only shield...as their rules are identic for all databases and all purposes...crazy but seen a lot of time as a pattern.
No need to lose more words on them...
I want 0 percent of security issues.
I said: We can do that immediately, this is easy.
He said: How?
I said: switch off all servers on power.
And then I left the company very soon, but i was glad as later found out that company just collpased ...
Starting next beta you can disable the use of SYS.USER$ in Options -> Oracle -> General.
Unfortunately cannot test beta versions...but 100% certain that you did help a lot.
I will wait for next release and until then i will show this mail.