Re: limited DBA privileges
Date: Wed, 30 Apr 2008 07:30:32 +0100
Message-ID: <7765c8970804292330h138b52c4td7a559bc5b436f46@mail.gmail.com>
The product that more or less exactly matches those requirements is
the Database Vault product. In particular you can separate out an
admin realm from an application realm and deny dba access to the
application realm. I'm not personally convinced by the requirement -
especially as organisationally you then need an oracle skilled person
outside of the IT area to do the vault administration, but it is
exactly aimed at your situation .
On 30/04/2008, Dennis Williams <oracledba.williams_at_gmail.com> wrote:
> Mark,
>
> I think there are many people on the list who have had to deal with this.
> You know how those wild DBAs took down Enron and other big companies a few
> years ago, so congress passed SoX to control their excesses. I'm guessing
> that is the basis of your questions.
>
> First, the newer versions of Oracle like 10g provide more security support,
> such as VPD and FGA, encryption.
> Second, lock SYSTEM and SYS. Create OPS$ accounts for your administrators.
> That way activities can be tracked to an individual.
> You could probably decide exactly which privileges a DBA needs, but that may
> be an exercise in futility.
> Third, turn on auditing, whisk the audit records immediately to another
> system, and stick someone in quality with the responsibility for reading
> those audit records.
>
> Take a look at Fine Grained Auditing in 10g to see if that will meet your
> requirements.
>
> Dennis Williams
>
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-lReceived on Wed Apr 30 2008 - 01:30:32 CDT