RE: Server Admin Privileges

From: Mark W. Farnham <mwf_at_rsiz.com>
Date: Tue, 15 Oct 2013 11:15:14 -0400
Message-ID: <021101cec9b9$5a3923f0$0eab6bd0$_at_rsiz.com>



The classic solution to this sort of problem is having more than one log on id.

So your normal log in id would not have administrator privileges and you would do most of your activities that way.

Your extraordinary log in id would have administrator privileges and you would only use it when required.

An old protocol invented at Burlington Coat was for operations (in this case for UNIX systems, but it translates well) to have a person's sudo root password in the safe. When a root-authorized DBA needed root privileges, the call was to the 24 hour a day operations center (not needing to wake a sys admin). The operator got the relevant envelope from the safe, logged the event, and the DBA proceeded, carefully logging (the script command in UNIX was very useful for this), and reporting back to operations when the activity was complete.

Then the operator followed a set of instructions to change the password and put a new envelope in the safe.

In this way the sys admin group was completely informed of every activity that transpired AND the dba had documentation of everything done as root.

I hope this helps. I cannot remember whether this was documented in the Massive Systems Operating Systems Environment Standards (MOSES) or not. I'm not even sure whether the MOSES documents are still available from Oracle.

Good luck,

mwf

-----Original Message-----

From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Backseat DBA
Sent: Monday, October 14, 2013 8:25 PM
To: oracle-l_at_freelists.org
Subject: Server Admin Privileges

We run Windows Server 2008 and we recently set up Database Vault and Encryption (for Production and not Test/Dev) but because we are kind of a small shop and in order to make sure I don't disable DV and encryption copy off the wallet file, I had to loose my Admin privileges on the box. Is anybody else in this same situation? Do you not have Admin privileges to the server, is it normal? I find it annoying to have to ask the server admins for help with changing the backup schedules or delete log files.

--

http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Tue Oct 15 2013 - 17:15:14 CEST

Original text of this message