G-1110
🆓Error
Avoid connect users that own database objects.
Reason
Using a dedicated schema owner (separate from the application’s technical user) enforces a clear separation of concerns between schema administration and data manipulation. This prevents the technical user from implicitly having high-level privileges - like the ability to create or drop objects - thus reducing the risk of accidental or malicious changes. It also simplifies updates and maintenance, as schema changes can be managed under stricter control without affecting the routine database connection the application uses.
Example
Non-Compliant Example
-- database objects owned by connect user create table t1 (c1 integer); create view v1 as select * from t1;
Compliant Solution - ★★★★★
-- no objects owned by connect user
Tests
Test SQL query
select owner || '.' || object_type || '.' || object_name as identifier,
'Connect user ' || owner || ' has ' || lower(object_type) || ' ' || object_name || '.' as message
from dba_objects
where owner in (#ConnectUsers#)
order by object_type, object_nameTest results
| Identifier | Message | Migration |
|---|---|---|
| DBL_GUI.TABLE.T1 | Connect user DBL_GUI has table T1. | - |
| CONNECT.V1.VIEW | Connect user DBL_GUI has view V1. | - |
Parameters
Use parameters to customize the rule to your needs.
| Parameter | Description | Default Value |
|---|---|---|
| ConnectUsers | Comma separated list of technical users connecting to the database. These users do not own database objects such as tables. | dbl_gui, dbl_backend |