Re: limited DBA privileges
Date: Wed, 30 Apr 2008 19:27:07 +0200
As Niall suggested, you can do just that with database vault -- a new enterprise edition option introduced with 10.2.0.2
I would however suggest that you upgrade to 10.2.0.4 before attempting to use it, as some critical security bugs have been fixed in that release.
You don't necessarily need someone with a lot of Oracle skills to be the "guy in charge" of who can see what data. Database vault comes with a GUI that is rather easy to use, and can be used by virtually anyone to enable / disable access to certain tables, once a the groundworks have been laid and the setup is complete.
Of course, a typical DBA will also have to install patches on a database and stuff like that, and database vault cannot protect you against the operating system oracle user (the software owner to be more specific).
Furthermore, there just is nothing else out there that allows you to implement something like this. As soon as you're giving away "ANY"-privileges, you're giving away your data. And a DBA won't be able to do much without having been granted system privileges.
On Wed, Apr 30, 2008 at 12:27 AM, Cochran, Mark <Mark.Cochran_at_staples.com> wrote:
> As part of a company-wide security initiative, I've been tasked with
> coming up an implementation of limited DBA privileges. Specifically, a set
> of database privileges that allow a user with these privileges to maintain
> the database (e.g., add/resize datafiles; create and modify tablespaces;
> create, alter and move tables; create, alter and rebuild indexes; query the
> data dictionary), while restricting that user from querying sensitive data
> in specific tables (e.g., credit card data).
> Has anyone encountered such a requirement before? Any suggestions? Can
> you point me toward any examples of how to create such a role?
> Using Oracle Enterprise Version 10.2.0.3, we plan on keeping up with the
> latest security patches.
> Mark Cochran
> Oracle DBA, Staples, Inc.
-- ========================= Stefan P Knecht Senior Consultant Infrastructure Managed Services Trivadis AG Europa-Strasse 5 CH-8152 Glattbrugg Phone +41-44-808 70 20 Fax +41-808 70 12 Mobile +41-79-571 36 27 stefan.knecht_at_trivadis.com http://www.trivadis.com OCP 9i/10g SCSA SCNA ========================= -- http://www.freelists.org/webpage/oracle-lReceived on Wed Apr 30 2008 - 12:27:07 CDT