Re: limited DBA privileges

From: Niall Litchfield <>
Date: Wed, 30 Apr 2008 07:30:32 +0100
Message-ID: <>

The product that more or less exactly matches those requirements is the Database Vault product. In particular you can separate out an admin realm from an application realm and deny dba access to the application realm. I'm not personally convinced by the requirement - especially as organisationally you then need an oracle skilled person outside of the IT area to do the vault administration, but it is exactly aimed at your situation .

On 30/04/2008, Dennis Williams <> wrote:
> Mark,
> I think there are many people on the list who have had to deal with this.
> You know how those wild DBAs took down Enron and other big companies a few
> years ago, so congress passed SoX to control their excesses. I'm guessing
> that is the basis of your questions.
> First, the newer versions of Oracle like 10g provide more security support,
> such as VPD and FGA, encryption.
> Second, lock SYSTEM and SYS. Create OPS$ accounts for your administrators.
> That way activities can be tracked to an individual.
> You could probably decide exactly which privileges a DBA needs, but that may
> be an exercise in futility.
> Third, turn on auditing, whisk the audit records immediately to another
> system, and stick someone in quality with the responsibility for reading
> those audit records.
> Take a look at Fine Grained Auditing in 10g to see if that will meet your
> requirements.
> Dennis Williams

Niall Litchfield
Oracle DBA
Received on Wed Apr 30 2008 - 01:30:32 CDT

Original text of this message