Re: limited DBA privileges

From: Dennis Williams <>
Date: Tue, 29 Apr 2008 22:01:57 -0500
Message-ID: <>


I think there are many people on the list who have had to deal with this. You know how those wild DBAs took down Enron and other big companies a few years ago, so congress passed SoX to control their excesses. I'm guessing that is the basis of your questions.

First, the newer versions of Oracle like 10g provide more security support, such as VPD and FGA, encryption.
Second, lock SYSTEM and SYS. Create OPS$ accounts for your administrators. That way activities can be tracked to an individual. You could probably decide exactly which privileges a DBA needs, but that may be an exercise in futility.
Third, turn on auditing, whisk the audit records immediately to another system, and stick someone in quality with the responsibility for reading those audit records.

Take a look at Fine Grained Auditing in 10g to see if that will meet your requirements.

Dennis Williams

Received on Tue Apr 29 2008 - 22:01:57 CDT

Original text of this message