Re: limited DBA privileges

From: Stefan Knecht <>
Date: Wed, 30 Apr 2008 19:27:07 +0200
Message-ID: <>


As Niall suggested, you can do just that with database vault -- a new enterprise edition option introduced with

I would however suggest that you upgrade to before attempting to use it, as some critical security bugs have been fixed in that release.

You don't necessarily need someone with a lot of Oracle skills to be the "guy in charge" of who can see what data. Database vault comes with a GUI that is rather easy to use, and can be used by virtually anyone to enable / disable access to certain tables, once a the groundworks have been laid and the setup is complete.

Of course, a typical DBA will also have to install patches on a database and stuff like that, and database vault cannot protect you against the operating system oracle user (the software owner to be more specific).

Furthermore, there just is nothing else out there that allows you to implement something like this. As soon as you're giving away "ANY"-privileges, you're giving away your data. And a DBA won't be able to do much without having been granted system privileges.



On Wed, Apr 30, 2008 at 12:27 AM, Cochran, Mark <> wrote:

> As part of a company-wide security initiative, I've been tasked with
> coming up an implementation of limited DBA privileges. Specifically, a set
> of database privileges that allow a user with these privileges to maintain
> the database (e.g., add/resize datafiles; create and modify tablespaces;
> create, alter and move tables; create, alter and rebuild indexes; query the
> data dictionary), while restricting that user from querying sensitive data
> in specific tables (e.g., credit card data).
> Has anyone encountered such a requirement before? Any suggestions? Can
> you point me toward any examples of how to create such a role?
> Using Oracle Enterprise Version, we plan on keeping up with the
> latest security patches.
> Mark Cochran
> Oracle DBA, Staples, Inc.
> 508.253.8408


Stefan P Knecht
Senior Consultant
Infrastructure Managed Services

Trivadis AG
Europa-Strasse 5
CH-8152 Glattbrugg

Phone +41-44-808 70 20
Fax +41-808 70 12
Mobile +41-79-571 36 27


Received on Wed Apr 30 2008 - 12:27:07 CDT

Original text of this message