Re: privilege to a DBA in Oracle

nathan_970365_at_yahoo.com (Nathan) wrote in message news:<989d0dbe.0306022027.62ff5fe8_at_posting.google.com>...
> I have created some objects (primarily tables and views) using Oracle
> 8i. Now, after transferring the database to an Oracle server (for
> example, say at a customer site), is it possible to control the access
> privilege of my customer's DBA? To put it in a nutshell, is there a
> way to provide partial access of my objects to a DBA.
>
> Thanks in advance for your help.
>
> Sincerely,
> Nathan

Nathan,

So how may I ask will the client site backup this database? Export?
The DDL is all in there to re-create the application schema, with grants.
Physical?
Even if there is no passwordfile, controlfile, parameterfile, it would be possible to open a hot or cold backupset (by creating a new controlfile).
Rman?
provided that the backup controlfile is part of the backup set, someone could restore the database and open it.

What server OS is the database running on? Win32? if the client has an account with the local group "ORA_DBA" granted to it - it can connect as sysdba. *nix? if the client has an account in the dba group, they can connect as sysdba without supplying a password.

You're not likely going to lock out the client site dba from the database.
There are enough holes - that even a well-secured database could likely be hacked, and unless you are seriously auditing it - you'd never know that the dictionary was queried with a reverse-engineering tool or that an export was taken. (or do you review the listener logs daily and have audit session enabled?)

The data that the client puts into the app schema is still their data. They need the ability to get their data back out.

This is an intellectual property issue - not a DBA access issue.

If you want certain data to be not accessible, obfuscate it. check out http://asktom.oracle.com for lots of good examples.

good luck.

Paul Received on Tue Jun 03 2003 - 22:57:53 CDT