Yes, the proposed solution solves the scenario I reported.
In this way, using the TC_ADMIN role, you can control who has rights to change Team Coding configuration.
All âregularâ users, are not granted these privileges by default.
I suppose that, after this change, when you upgrade from Team Coding 6 to 7, your users will have the same privileges as before, what is expected.
Thank you for the support,
Cheers, Ana
From: ***@yahoogroups.com [mailto:***@yahoogroups.com] On Behalf Of Stephen Beausang
Sent: Tuesday, February 26, 2013 4:24 PM
To: ***@yahoogroups.com
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Hi Ana,
Team Coding rolled all the privileges in to a single TC_ADMIN role in Team Coding 7. In doing this, we allowed TC_ADMIN or SYSDBA users to intall/uninstall Team Coding. We assumed that the user who could install/uninstall should have full access to all Team Coding functions. This is why the userâs with SYSDBA have access to change configuration.
Based on this thread, we are modifying this behavior to allow SYSDBA uses to install/uninstall Team Coding, but require TC_ADMIN rights to modify settings.
Does this address the question?
All the best
Stephen
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Ana Roje Ivancic
Sent: Tuesday, February 26, 2013 10:04 AM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
I led this discussion by mistake in the wrong direction.
(The point is that the development team working on Oracle DBs is our customer and we provide them only services related with versioning using TFS in combination with Toad.)
So once again:
The developers connecting to the DB and working on DB schemas had no rights to edit Team Coding settings in Team Coding 6.
After upgrade to Team Coding 7, they can perform all tasks related to configuring Team Coding Settings.
These users are not members of any of the TC roles (TC_ADMIN, TC_ TC_LDR, TC_MGR).
They DO NOT have SYSDBA privileges (this was my mistake), but DBA privileges on corresponding schemas.
So the question still remains: Why they have rights to manage Team Coding settings after the upgrade and how are these rights supposed be managed âby the bookâ in Team Coding 7?
Thanx,
Ana
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Bert Scalzo
Sent: Tuesday, February 26, 2013 2:38 PM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
No â SYSDBA is not for developers nor for people who simply need to own objects. Itâs a much more powerful right that should be granted to people who need to do DBA specific tasks to the database â not schemas. You are essentially sating my developers all need ârootâ access. This is a security no-no. You should instead be creating a developer role that assinds what they truly need and nothing else. Right now any one of your SYSDBA users can drop/delete the entire database and many other ârootâ like things. You need to read the Oracle security docs and use roles with proper grants. Granting SYSDBA is using a shotgun where a bee bee gun is needed.
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Ana Roje Ivancic
Sent: Tuesday, February 26, 2013 7:34 AM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Thank you for this note.
My explanation was not clear enough. The âusersâ in my case are members of the development team which develops applications based on Oracle databases.
They are the owners of corresponding DB Schemes and must have administrative privileges as well.
Cheers,
Ana
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Bert Scalzo
Sent: Tuesday, February 26, 2013 2:16 PM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Please note that SYSDBA priv is not intended for public distribution like this (i.e. they all have SYSDBA privileges). If you were to run the Toad DB health check security violations it would raise the red flag. So you are essentially saying all my users can startup and shutdown the database, make backups and other key DBA centric tasks controlled by SYSDBA. This is a clear oracle security no-no â¹
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Ana Roje Ivancic
Sent: Tuesday, February 26, 2013 7:11 AM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
I have analyzed the rights of my users and they all have SYSDBA privileges. This is why they can edit Team Coding settings, as you describe bellow.
These privileges are required for our development process. Therefore we need to regulate the user rights on the TC tables manually by explicitly removing them the insert/update/delete/ privileges.
Thank you for your assistance,
Cheers, Ana
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Stephen Beausang
Sent: Monday, February 25, 2013 7:54 PM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Hello Ana,
If the users have TC_LDR and / or TC_MGR permissions then they may still have the permissions on the underlying tables. This is the most likely scenario. Toad also allows the SYSDBA user update configuration. If any the users have SYSDBA privileges then they will have configuration permissions.
If none of the above apply, then the users still have update privileges on the Team Coding Tables. I will send you the table privileges offline.
Stephen
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Ana Roje Ivancic
Sent: Monday, February 25, 2013 9:53 AM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Hello,
I checked the TC_ADMIN role on my schema and I found that only the TOAD user is in this role (he has checkboxes checked for Granted/Admin/Default in the âConfigure Granteesâ dialog).
None of my other users is in this role (none of their corresponding checkboxes is checked).
And they still can edit all Team Coding settings. For example, I managed to change the settings of a Code Collection, and switch Team Coding support off and back on.
In other words, they have full access to all actions on the dialogs:
- Utilities-->Team Coding-->Configure Team Coding
- Utilities-->Team Coding--> Team Coding Code Collections
None of the buttons/checkboxes on these dialogs is greyed out.
I can send you screenshots if you need them.
Any idea what is wrong in my case?
Thanks, Ana
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Stephen Beausang
Sent: Friday, February 22, 2013 4:27 PM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] RE: After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Hello Ana,
The upgrade from 10.6 to 11 modified the user rights for Team Coding. Users with TC_ADMIN rights have the right to modify configuration settings.
The other roles are no longer used.
Since 11.0, the TC_ADMIN role can Configure Team Coding and Edit Projects. All other users should be read only in these windows. The TC_LDR, and TC_MGR roles are not used in TeamCoding 7.
You can remove unused roles from all the users in the Schema Browser. Right click on the Role and select âConfigure Granteesâ. This will bring up a list of the users and you can select who you wish to deny the rights to. (Thanks to John D for this tip)
Stephen
From: ***@yahoogroups.com<mailto:***@yahoogroups.com> [mailto:***@yahoogroups.com] On Behalf Of Ana Roje Ivancic
Sent: Friday, February 22, 2013 9:21 AM
To: ***@yahoogroups.com<mailto:***@yahoogroups.com>
Subject: [toad] After upgrade from Team Coding 6 to Team Coding 7 all users have rights to change Team Coding settings and Code Collection Settings
Hi!
I upgraded the versioning in an existing database from Team Coding 6 to Team Coding 7.
I am using several versions of Toad 11 (11.0, 11.5. 11.6.1)
I am surprised to see that now, after migration:
1. all users have rights to change Team Coding settings (Utilities-->Team Coding-->Configure Team Coding)
2. all users have rights to edit Team Coding Code Collections (Utilities-->Team Coding--> Team Coding Code Collections)
This is not nice.
Previously in Toad 10.6 and Team Coding 6, only the TOAD administrator user account had these rights.
If I now connect to the same database from Toad 10.6 as a âregularâ user (getting the warning that the Tem Coding support is a newer version), I do not have the rights to change Team Coding Settings/Code Control Groups, as it was before.
My question is:
1. Is this change in rights the result of the migration process or is the new default behavior?
2. Do I need to deny rights to my âregularâ users with a script or I have a better option for controlling the rights?
Thanx,
Ana