Re: How to Limit OEM12c user access

From: Hans Forbrich <fuzzy.graybeard_at_gmail.com>
Date: Mon, 06 Aug 2012 11:47:37 -0600
Message-ID: <50200339.4010906_at_gmail.com>

When I teach developers, the first 3 things I tell them are

"you can not develop in isolation - you need to collaborate with your DBAs"

"performance and security can not be afterthoughts, unless you plan on releasing a prototype, to be redone when performance and security specs are ready"

"SQL is SQL is SQL, yes. But that is on a single statement level. The vendor differences come at the concurrency and transaction level."

When I teach DBAs, the first 3 things I tell them are

"When it comes to privileges, Einstein was right - as few as possible, but not too few"

"you can no longer administer in isolation - you need to collaborate with, and perhaps guide, your developers"

"there are too many overtrained Oracle7 DBAs out there. Things (besides the number) have changed since Oracle7 and we need to use current admin skills."

So I'm +1 with Tim, Kellyn, and Pete.

Yes, I understand that some information, including trace files, can lead to breach of security. Better to understand and fix those holes (via SR if possible) than to simply put a moat around them.

/Hans

On 06/08/2012 9:10 AM, Peter Sharman wrote:
> I'm with Tim and Kellyn on this one. Other than the security / privacy issues that Tim alludes to, I think as DBA's we have for far too long blocked access to useful information for developers - and that doesn't contradict the quote in my signature! ;)
>
> Obviously 12c has a lot more privileges, and a lot more fine grained ones than we had in previous releases, but I can't see why you wouldn't let them view database configuration information.
>
> Pete
>
> Pete Sharman
> Principal Product Manager
> Enterprise Manager Product Suite
> 33 Benson Crescent CALWELL ACT 2905 AUSTRALIA
> Phone: +61262924095 | | Fax: +61262925183 | | Mobile: +61414443449
>
> "Controlling developers is like herding cats."
> Kevin Loney, Oracle DBA Handbook
>
> "Oh no, it's not, it's much harder than that!"
> Bruce Pihlamae, long term Oracle DBA
>
>
>
> -----Original Message-----
> From: Tim Gorman [mailto:tim_at_evdbt.com]
> Sent: Monday, 6 August 2012 6:49 AM
> To: oracle-l_at_freelists.org
> Subject: Re: How to Limit OEM12c user access
>
>> Anyway, I think it is because we want to keep dev access to prod
>> environments to a minimum. And having access to data they don't need
>> is, as a rule, a bad idea.
> The phrase "/access to data they don't need/" might bear closer examination?
>
> One of the keys to hacking is account names, which might even fall into the category of "PII" (i.e. personally identifiable information), so there is clear objection to that information, and I think it would be easy to argue that developers don't need this. Heck, I'd argue that vice presidents and CIOs don't need that, but that's another story.
>
> But if this community of users has already been given access to EM12c for the purpose of performance monitoring in production, then it is quite natural and justifiable for them to be able to view database configuration information. Knowing SGA and PGA settings is important; knowing what features have been enabled and how (i.e. parallel execution, star transformation, etc) is important. So, I can't see this information falling into the category of "/data they don't need/", as that would contradict the mandate they've already been granted.
>
> Just my US$0.02...
>
>
>
> On 8/5/2012 2:04 PM, Guillermo Alan Bort wrote:
>> I'm sad to say that the answer to your question is simply "because my
>> boss asked me".
>> Anyway, I think it is because we want to keep dev access to prod
>> environments to a minimum. And having access to data they don't need
>> is, as a rule, a bad idea.
>>
>> Cheers
>> Alan.-
>>
>>
>> On Sun, Aug 5, 2012 at 4:10 PM, kellyn.potvin_at_ymail.com <
>> kellyn.potvin_at_ymail.com> wrote:
>>
>>> Question, as I'm curious... What is your concern regarding the
>>> developers viewing this information?
>>> I can understand and support the idea of removing an option to change
>>> db parameters or create a user, but viewing? I just don't understand
>>> the requirement or the need for control...
>>>
>>> Kelly Pot'Vin
>>> Sr. Technical Consultant
>>> Enkitec
>>>
>>>
>>> From my Android phone on T-Mobile. The first nationwide 4G network.
>>>
>>>
>>> -------- Original message -------- Subject: How to Limit OEM12c user
>>> access From: Guillermo Alan Bort ** To: oracle-l_at_freelists.org CC:
>>>
>>> Hi List,
>>> This question goes to those of you who use OEM12c.
>>>
>>> We have a set of developers that want to access OEM to monitor
>>> performance in a database. I've found a way to allow them read only
>>> access to that database and only that database. However they can do
>>> things other than monitoring performance (like viewing the list of
>>> users in the database or even spfile parameters).
>>> I tried creating a user on the DB with this account and I
>>> couldn't, but I would like to completely remove the options from OEM.
>>> I just want them to be able to view the performance related tabs.
>>>
>>> Has anybody done something like this?
>>>
>>> Cheers
>>> Alan.-
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Aug 06 2012 - 12:47:37 CDT

This message: [ Message body ]
Next message: Tim Gorman: "Fwd: RMOUG Training Days 2013 - Call for Papers Now Open!"
Previous message: Peter Sharman: "RE: How to Limit OEM12c user access"
In reply to: Peter Sharman: "RE: How to Limit OEM12c user access"
Next in thread: Dba DBA: "Re: How to Limit OEM12c user access"
Reply: Dba DBA: "Re: How to Limit OEM12c user access"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message