Re: Oracle environment privileges

From: Sherrie Kubis <Sherrie.Kubis_at_swfwmd.state.fl.us>
Date: Mon, 25 Jan 2016 13:31:58 +0000
Message-ID: <BY1PR09MB0535DA46362808B0D63BDB8289C70_at_BY1PR09MB0535.namprd09.prod.outlook.com>

We follow The Least Privilege Principle.

Our Development environment is open to developers, they have access to the schemas and accounts for the project they are working on. In this area, they are expected to refine their database objects and application so that it works further up the lifecycle stack.

These are the accounts we implement:
[cid:image003.jpg_at_01D1574A.DA37C720]

This separates data from code. For example, the database architect works or project lead works with the OWNER account, where the development team writes code and uses the DAL account. We like this because not all developers are database savvy, and it keeps the database structure under a few hands. For almost all of our data, the VIEW account is given freely.

When it's time to move up the stack, the OWNER and DAL accounts are controlled. Objects are promoted through a request and logged through change management. A developer or architect requests the information, the project manager coordinates the deployment with the application server admins, and the DBA performs the deployment. We keep a record of what was done, how long it took, who did the work, the input and the output.

Our Acceptance environment is controlled and is a place to validate the database and application works as expected.

When a Production deployment occurs, in most cases it's easier and smoother than Acceptance because we've already worked out the issues.

The Enterprise Data Architect has a privileged account to travel freely in all 3 environments.

The foundation of the principle of least privilege is that users, groups of users, and applications are given no more privilege than necessary to perform a job. Conversely, they need to be given enough to do their job. We work closely together to make sure that happens. Over the years I've had a few, mostly consultants, complain about too much control. Mostly the developers are glad to have the structure and assurance that they don't need to worry about upper environments.

Oracle document https://docs.oracle.com/cd/B28359_01/network.111/b28531/guidelines.htm

Sherrie Kubis
Sr. Oracle DBA
Information Technology Bureau
Southwest Florida Water Management District 2379 Broad Street
Brooksville, FL 34604-6899
352.796.7211 x4033
sherrie.kubis_at_swfwmd.state.fl.us<mailto:steve.dicks_at_swfwmd.state.fl.us> IMPORTANT NOTICE
E-mails made or received in conjunction with the official business of the District are public records. All e-mails sent to and from this address are automatically archived. For more information regarding the State of Florida public records laws, please visit www.myflorida.com.

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Jan 25 2016 - 14:31:58 CET

This message: [ Message body ]
Next message: Sherrie Kubis: "RE: Oracle support and maintenance"
Previous message: Thomas Kellerer: "Oracle 12c extended VARCHAR - LOB segment grows indefinitely"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message