Re: Dormant database user accounts

Checking your "infosec" policies first would be an excellent idea.

An excellent (and not entirely uncommon) policy is that "*user accounts may never be deleted*" -- or, perhaps more properly "*userids may never be reused*". They're not the same thing, but in Oracle, probably not too far off.

Lots of sites do AUDITING. Those who do feel a perverse need to attribute audited actions to specific individuals. When accounts get deleted, or worse, userids are reused, the attributions in the audit data will probably stop working properly -- you either lose track of to whom to attribute an action, or you attribute it to the wrong person.

There's a fair-to-middling chance that your security officer would prefer the you keep dormant accounts *locked* and *expired* (and keep them that way indefinitely), rather than deleting them.

Even if there *aren't* already policies like this in place, perhaps there should be. You might be doing people a favour by suggesting it before you start deleting old accounts.

On Mon, Mar 16, 2015 at 10:08 AM, Niall Litchfield < niall.litchfield_at_gmail.com> wrote:

> You might well already have policies on this, and I'd definitely want to
> match your infosec requirements rather than present them with a fait
> accompli. I'd add a couple of things that haven't been touched on so far.
>
> 1. You need to make arrangements to catch the replies to the emails so
> you'll need to make sure any mail sent to the reply-to address gets to the
> right people and doesn't, for example, end up in the same place as all your
> EM notifications.
> 2. No-one seems to have remarked that it is really not at all unusual
> for people to be validly away from work for more than 3 months and that you
> probably don't want to delete such accounts, though you may well wish to
> lock them early.
>
>
> ...

--
http://www.freelists.org/webpage/oracle-l