Re: limited DBA privileges
Date: Wed, 30 Apr 2008 23:26:55 +0200
What I meant was once it's set up to protect a certain schema or whatever, no Oracle knowledge is required to add new users to a realm. All you really need to know is "this is what protects your sensitive data and this is the list of users that have access to it". And with a few clicks (urks I sound like someone who likes GUIs) you can change those users.
Of course the whole configuration that needs to take place can't be done without an intimate knowledge of how Oracle works. That however can be done by a DBA, and monitored / verified by a 3rd party who will then transfer the "password" to someone outside the DBA team.
Mind you some environments that change very frequently might be an exception to this, but it works for the ones I've done so far, where realms don't change after initial creation, only new users get added or removed from realms.
PS Also disregarding the potential "workarounds" a DBA could perform to gain access ;-)
On Wed, Apr 30, 2008 at 10:59 PM, Niall Litchfield < niall.litchfield_at_gmail.com> wrote:
> On Wed, Apr 30, 2008 at 6:27 PM, Stefan Knecht <knecht.stefan_at_gmail.com>
> > You don't necessarily need someone with a lot of Oracle skills to be the
> > "guy in charge" of who can see what data. Database vault comes with a GUI
> > that is rather easy to use, and can be used by virtually anyone to enable /
> > disable access to certain tables, once a the groundworks have been laid and
> > the setup is complete.
> You *will* need someone who understands what a schema is, what the
> difference between ALTER TABLE and ALTER VIEW for example, who understands
> what the schema objects are and what the columns are, can write a bit of
> PL/SQL to create factor functions if necessary and so on.
> My core point though is that whoever the dv admin is, they shouldn't be in
> the same reporting line as the IT team. They should really be in the
> "Business" but they do need to have a working knowledge of Oracle server
> technology. Allowing the DBA or similar to setup dv would be a somewhat
> fatal breach of the idea. I agree with the version recommendation though
> (11g would be as good or better).
> > --
> > Niall Litchfield
> > Oracle DBA
> > http://www.orawin.info
-- ========================= Stefan P Knecht Senior Consultant Infrastructure Managed Services Trivadis AG Europa-Strasse 5 CH-8152 Glattbrugg Phone +41-44-808 70 20 Fax +41-808 70 12 Mobile +41-79-571 36 27 stefan.knecht_at_trivadis.com http://www.trivadis.com OCP 9i/10g SCSA SCNA ========================= -- http://www.freelists.org/webpage/oracle-lReceived on Wed Apr 30 2008 - 16:26:55 CDT