Re: limited DBA privileges
Date: Tue, 29 Apr 2008 22:01:57 -0500
I think there are many people on the list who have had to deal with this. You know how those wild DBAs took down Enron and other big companies a few years ago, so congress passed SoX to control their excesses. I'm guessing that is the basis of your questions.
First, the newer versions of Oracle like 10g provide more security support,
such as VPD and FGA, encryption.
Second, lock SYSTEM and SYS. Create OPS$ accounts for your administrators. That way activities can be tracked to an individual. You could probably decide exactly which privileges a DBA needs, but that may be an exercise in futility.
Third, turn on auditing, whisk the audit records immediately to another system, and stick someone in quality with the responsibility for reading those audit records.
Take a look at Fine Grained Auditing in 10g to see if that will meet your requirements.
Dennis WilliamsReceived on Tue Apr 29 2008 - 22:01:57 CDT