Allowing users to compile / run PLSQL and SQL

oracleplsql

As a DBA – assuming my users are knowledgeable with PLSQL and SQL – why would I not grant my users privileges to compile and run their own PLSQL code.
We have an MI database environment where the data has undergone ETL.
The tables contain a large numbers of rows but not necessarily large rows in size. The analysis – will be – I assume of calculus in nature.
The users are wanting to run their own code on the data for the purposes of ad-hoc analysis – within their own schemas.
They come from a SAS background which from my understanding has allowed them to write and run their own analysis of data. Albeit, SAS runs on its own dataset – extracted from Oracle or elsewhere.

In my opinion this is a dangerous set-up – but without answering my own question – what are the pitfalls?

Best Answer

I think as a DBA you will inevitably lose the fight to keep hands out of your database. Having said that I think we owe it to our customers to try and provide a product that they can use. There are dangers and pitfalls of even read-only access that any DBA should be aware of:

You admitted that you are working with large record counts in your tables. What is your game plan when a user inadvertently issues a Cartesian Join?
If you are talking about read/write access how are you going to hold those users accountable for their actions? If financial data is involved (SOX) then it is not enough to just prove you are auditing the modifications to sensitive data you have to show you have removed their ability entirely.
If this is a production environment have you reconfigured your DR/backup solution? If your backup solution involves taking the DB off-line then what is your solution if a user puts a procedure in DBMS_JOB to run during it?
Lastly, and probably most importantly, who is going to support their code? If your org has a dev team and they are not on board for support I can guarantee that as the DBA you are going to get a finger pointed at you as soon as something goes wrong. Make that expectation up front.

I think thats enough devils advocate but I guess in summary my answer would be:
"Never in production and never in QA. If you want to run code you write it you support it and then you package it in a deployable format so I can push it out. If you want to act like a developer I'm going to treat you like one."

Related Solutions

SQL developer: Setup debugger for plsql

I haven't tested it again, but as far as I remember you need DEBUG privileges to use the debugger in SQL Developer:

  GRANT DEBUG CONNECT SESSION TO YOUR_USER;
  GRANT DEBUG ANY PROCEDURE TO YOUR_USER;

How to run procedure in Oracle SQL developer

First, if you are creating a procedure in a package, the package name will need to be included when you call the procedure.

begin
  hotel.fill_city(10000);
end;
/

should correctly invoke your procedure.

Second, you have issues with the naming of your local variables. Normally, you would not create local variables like city and postal_number that are the same as the names of columns in tables in your database. That makes it far too easy to introduce errors in your code where you intend to refer to the local variable but scope resolution rules mean that you are really referring to the column name. For example, if you write the perfectly valid function

CREATE OR REPLACE FUNCTION get_dname( deptno IN NUMBER )
  RETURN VARCHAR2
IS
  dname VARCHAR2(30);
BEGIN
  SELECT dname
    INTO dname
    FROM dept
   WHERE deptno = deptno;
  RETURN dname;
END;

in your WHERE clause, both references to deptno will resolve to the column in the dept table, not to the parameter deptno. That means that no matter what value you pass in to the function, the SELECT statement will return every row from the table and, thus, throw a too_many_rows error. Normally, you would come up with a convention on how to name variables and parameters that would not conflict with your table naming conventions. Prefixing parameters with p_ and local variables with l_ is one common convention. That turns our function into something like this

CREATE OR REPLACE FUNCTION get_dname( p_deptno IN NUMBER )
  RETURN VARCHAR2
IS
  l_dname VARCHAR2(30);
BEGIN
  SELECT dname
    INTO l_dname
    FROM dept
   WHERE deptno = p_deptno;
  RETURN l_dname;
END;

The other option would be to use explicit scoping prefixes when referring to local variables (i.e. get_dname.dname and get_dname.deptno) rather than altering the names of your local variables.

Best Answer

Related Solutions

SQL developer: Setup debugger for plsql

How to run procedure in Oracle SQL developer

Related Question