Re: Dormant database user accounts

From: Niall Litchfield <niall.litchfield_at_gmail.com>
Date: Mon, 16 Mar 2015 14:08:25 +0000
Message-ID: <CABe10sY5W63Crf0GLMxptgpYuMXLjJJYwZmVeVBXgd8JGxKHwQ_at_mail.gmail.com>

You might well already have policies on this, and I'd definitely want to match your infosec requirements rather than present them with a fait accompli. I'd add a couple of things that haven't been touched on so far.

You need to make arrangements to catch the replies to the emails so you'll need to make sure any mail sent to the reply-to address gets to the right people and doesn't, for example, end up in the same place as all your EM notifications.
No-one seems to have remarked that it is really not at all unusual for people to be validly away from work for more than 3 months and that you probably don't want to delete such accounts, though you may well wish to lock them early.

On Mon, Mar 16, 2015 at 1:35 PM, Leroy Kemnitz <lkemnitz_at_uwsa.edu> wrote:

> Thanks for all of the good input on this.
>
>
>
> To answer some of the questions – Yes, I am auditing user logins. So I am
> querying the audit views to find the user accounts that were used in the
> last year and half, then comparing them to the actual list of users setup
> in the database. Also, these accounts are the human accounts – they don’t
> own any objects. My application owner logins are separate.
>
>
>
> So it does sound like 90 days is the avg time to expire a password. The
> user is then sent an email alerting them to the change. Then after about 6
> months of inactivity, the locked accounts are deleted.
>
>
>
> That completely makes sense to me…….now to convince the security officier.
>
>
>
>
>
> LeRoy
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Jithin Sarath
> *Sent:* Friday, March 13, 2015 2:44 PM
> *To:* mcolmenares_at_newtechsistemas.com.ve
> *Cc:* mark.powell2_at_hp.com; oracle-l_at_freelists.org
>
> *Subject:* Re: Dormant database user accounts
>
>
>
> What we use is a mix of profiles and custom code.
>
>
>
> We have all human users assigned to a specific profile. Other accounts,
> which are used by applications / interfaces etc are assigned to separate
> profiles. The human user profile is set to expire password every 90 days.
>
>
>
> We then have some custom code, which runs to see if a user accounts is
> expired and has been in that state for 45 days, we lock it and generate an
> email to the user (the username and email is linked in a custom table).
> There is another process which picked up accounts locked for over 90 days
> and cleans them up.
>
>
>
> --Jithin
>
>
>
> On Fri, Mar 13, 2015 at 3:38 PM, Marcos Colmenares H. <
> mcolmenares_at_newtechsistemas.com.ve> wrote:
>
> Im with mark on this one ... i would start sending emails about account
> closure .. then instead of deleting them i would change the passes for a
> month or two... once you change the pass people will either ask why its not
> working or its just not needed ...
>
> i would also document all the actual account data (grants and the such)
> and keep it in a document just in case you need to re-create it.
>
>
>
>
>
> Saludos Cordiales,
>
> Marcos Colmenares H
>
> --
>
>
>
> 2015-03-13 14:52 GMT-04:30 Powell, Mark <mark.powell2_at_hp.com>:
>
>
>
> If you are going to notify the user I think you should send the email X
> days prior to deleting the account.
>
>
>
>
>
> *From:* oracle-l-bounce_at_freelists.org [mailto:
> oracle-l-bounce_at_freelists.org] *On Behalf Of *Andrew Kerber
> *Sent:* Friday, March 13, 2015 11:06 AM
> *To:* lkemnitz_at_uwsa.edu
> *Cc:* oracle-l_at_freelists.org
> *Subject:* Re: Dormant database user accounts
>
>
>
> You need to be a little cautions about this. We have accounts that own
> objects that we never log in to. But the objects are critical.
>
>
>
> On Thu, Mar 12, 2015 at 3:05 PM, Leroy Kemnitz <lkemnitz_at_uwsa.edu> wrote:
>
> All –
>
>
>
> We are currently having a discussion in house about user accounts in the
> databases that are considered ‘dormant’ or unused. I want to set a limit
> of one year. If after one year, the account has not been used at all, then
> I want to delete the account and send an email to the last known email
> address informing the customer. How do other places handle this
> situation? Do you lock the accounts and then notify customers – then
> delete if no response in 2 weeks? What time limits are other people
> using? I see some people are doing 90 days of not logging in flags an
> account as ‘dormant’.
>
>
>
> LeRoy
>
>
>
>
>
>
> --
>
> Andrew W. Kerber
>
> 'If at first you dont succeed, dont take up skydiving.'
>
>
>
>
>

-- 
Niall Litchfield
Oracle DBA
http://www.orawin.info

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Mar 16 2015 - 15:08:25 CET

This message: [ Message body ]
Next message: Hans Forbrich: "Re: Dormant database user accounts"
Previous message: Yong Huang: "Re: RMAN backup validate"
In reply to: Leroy Kemnitz: "RE: Dormant database user accounts"
Next in thread: MARK BRINSMEAD: "Re: Dormant database user accounts"
Reply: MARK BRINSMEAD: "Re: Dormant database user accounts"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message