I was checking our database security policy at work today when I came across something that confused me for a little while.
It said that you should not grant the CONNECT role to non-DBA users. My first thought was ‘hang on, if I don’t give users the CONNECT role, they won’t be able to connect to the database’. I wondered about this for a while and then did a little digging and found out that of course CONNECT is a role, where as you only need the CREATE SESSION privilege to connection to the database.
Until version 10.2 the CONNECT role contained a bunch of other privileges that you may or may not want to give users. In our case, apparently we don’t.