So, let check Dataedo
Ouch!!!! No trigger on the tables is reported by Dataedo. It not enough. I check the same thing using another tool: Toad.
Well. Let check the triggers
Ooooh. The triggers exist on the tables, but Dataedo didn't import them. I want to try to connect to Oracle using directly the owner of the tables
 |
| Connecting using the owner |
A number of imported objects is the same of the previous import when I used the nagios schema
 |
| The trigger on the table |
Bingo! Now the trigger is visible. In order to understand what is happening, I have to check the privileges of nagios user
The CREATE ANY TRIGGER is missing. So I grant the privilege and check Dataedo again
Now I have to remove the old connection and re-create the new one
 |
| Removing a repository |
After the user nagios is imported again, I can see also the TRIGGERs
 | |
|
So I suspect that maybe there will be some others differences. Let me check. Without "CREATE ANY TRIGGER" privilege, the nagios user can't see the TRIGGER dependencies
 |
| Using nagios schema without "CREATE ANY TRIGGER" privilege |
but with the right privilege, Dataedo report all dependencies correctly.
 |
| Using nagios schema with "CREATE ANY TRIGGER" privilege |
In my opinion, CREATE ANY TRIGGER (as "EXECUTE ANY PROCEDURE" or "SELECT ANY TABLE") is a bad privilege for a user. It is a failure of security policy. Because Dataedo5 use "ALL_" views inside Oracle the "CREATE ANY TRIGGER" privilege is necessary. As I suggested, it could be better grant just SELECT_CATALOG_ROLE role and querying "DBA_" views instead "ALL_"
(continue)
Nessun commento:
Posta un commento