Re: limited DBA privileges

From: Stefan Knecht <knecht.stefan_at_gmail.com>
Date: Wed, 30 Apr 2008 19:27:07 +0200
Message-ID: <486b2b610804301027w4e06aa2ejdb5a15b7b351eb69@mail.gmail.com>

Mark

As Niall suggested, you can do just that with database vault -- a new enterprise edition option introduced with 10.2.0.2

I would however suggest that you upgrade to 10.2.0.4 before attempting to use it, as some critical security bugs have been fixed in that release.

You don't necessarily need someone with a lot of Oracle skills to be the "guy in charge" of who can see what data. Database vault comes with a GUI that is rather easy to use, and can be used by virtually anyone to enable / disable access to certain tables, once a the groundworks have been laid and the setup is complete.

Of course, a typical DBA will also have to install patches on a database and stuff like that, and database vault cannot protect you against the operating system oracle user (the software owner to be more specific).

Furthermore, there just is nothing else out there that allows you to implement something like this. As soon as you're giving away "ANY"-privileges, you're giving away your data. And a DBA won't be able to do much without having been granted system privileges.

Cheers

Stefan

On Wed, Apr 30, 2008 at 12:27 AM, Cochran, Mark <Mark.Cochran_at_staples.com> wrote:

> As part of a company-wide security initiative, I've been tasked with
> coming up an implementation of limited DBA privileges. Specifically, a set
> of database privileges that allow a user with these privileges to maintain
> the database (e.g., add/resize datafiles; create and modify tablespaces;
> create, alter and move tables; create, alter and rebuild indexes; query the
> data dictionary), while restricting that user from querying sensitive data
> in specific tables (e.g., credit card data).
>
> Has anyone encountered such a requirement before? Any suggestions? Can
> you point me toward any examples of how to create such a role?
>
> Using Oracle Enterprise Version 10.2.0.3, we plan on keeping up with the
> latest security patches.
>
> Mark Cochran
> Oracle DBA, Staples, Inc.
> 508.253.8408
>
>

-- 
=========================

Stefan P Knecht
Senior Consultant
Infrastructure Managed Services

Trivadis AG
Europa-Strasse 5
CH-8152 Glattbrugg

Phone +41-44-808 70 20
Fax +41-808 70 12
Mobile +41-79-571 36 27
stefan.knecht_at_trivadis.com
http://www.trivadis.com

OCP 9i/10g SCSA SCNA
=========================

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Apr 30 2008 - 12:27:07 CDT

This message: [ Message body ]
Next message: Stefan Knecht: "Re: init.ora parameter to log errors to the alert log"
Previous message: Derek Rodner: "RE: Oracle out the door"
In reply to: Cochran, Mark: "limited DBA privileges"
Next in thread: Niall Litchfield: "Re: limited DBA privileges"
Reply: Niall Litchfield: "Re: limited DBA privileges"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message