| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: How do you audit a DBA?
"The point is, you only need one, single trusted person to hold the administrator account (someone from your audit firm, for example) and almost everything can be done by sub-administrators who only have the precise permissions they need and no more. In theory, anyway :0)"
There's that "single point of failure" again! so... the auditor is more trusted than the DBA?
Who audits the auditor?
>From: "Guy Hammond" <guy.hammond_at_avt.co.uk>
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: RE: How do you audit a DBA?
>Date: Fri, 07 Sep 2001 01:45:06 -0800
>
>There is an administrator account, but individual users can configure
>access control lists on their files (right-click, properties, security)
>that would prevent the administrator from reading them. The only way
>that an administrator could then read them would be to "take ownership"
>first. Unlike Unix, ownership of a file is taken rather than given, so
>even if an Administrator read a confidential file, the OS would not let
>then erase traces of having done so. If you wanted to steal a file, you
>could obviously back it up to tape (if you have the Backup Operator
>role) restore it to another system, take ownership there and read it
>(unless it was encrypted of course) but there's only so much an OS can
>do about physical security.
>
>The point is, you only need one, single trusted person to hold the
>administrator account (someone from your audit firm, for example) and
>almost everything can be done by sub-administrators who only have the
>precise permissions they need and no more. In theory, anyway :0)
>
>g
>
>
>
>-----Original Message-----
>Sent: Thursday, September 06, 2001 2:41 PM
>To: Multiple recipients of list ORACLE-L
>
>
>but doesn't there have to be ONE account/role in NT that can assign all
>the
>others? how else could you set up a role or continue to set them up?
>
>--
>Please see the official ORACLE-L FAQ: http://www.orafaq.com
>--
>Author: Guy Hammond
> INET: guy.hammond_at_avt.co.uk
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing Lists
>--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: carmichr_at_hotmail.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Fri Sep 07 2001 - 08:00:58 CDT
 |
 |