Re: sysadmin access

Hans Forbrich wrote:

> scott wrote:
>
> > Our IS director is insisting that he needs sysadmin access to our
> > Oracle Applications instance, I however disagree. Is there a good
> > rule of thumb for who does and does not need sysadmin privs to the
> > DB/Apps? I need some ammo.
>
> Some base variants I can think of:
>
> 1) Fight the boss and risk your job. If he's serious about getting
> access, he'll hire someone who'll give it to him;
>
> 2) Give him access, and start a CYA log of all you activity. My
> experience is this kind of request at that level means there will be
> some background data manipulation OR background security investigation;
>
> 3) Give him psuedo access through a specially tailored userid;
>
> 4) There may be a legitimate reason for this. Have a frank discussion
> with him and ask for justification. Simply put, you have a position of
> responsibility and you are now asking whether that responsibility is
> being changed.

I favor the 'Just Say No' point of view but that does likely risk one losing their job. But I do like your #3.

How about the following:
1. Create a specific role.
2. Make sure that all transactions from the role's owner are audited using DDL and AFTER LOGON triggers.
3. Write a DDL trigger that makes it impossible to CREATE, DROP, ALTER, or TRUNCATE anything and code the
trigger such that it sends an email or logs whenever an attempt is made.

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)