Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: sysadmin access

Re: sysadmin access

From: Joel Garry <joel-garry_at_home.com>
Date: 2 Jul 2003 13:52:14 -0700
Message-ID: <91884734.0307021252.769dcf17@posting.google.com> 





swordss_at_t-com.com (scott) wrote in message news:<e13893d8.0307011015.6879a392_at_posting.google.com>...


> Our IS director is insisting that he needs sysadmin access to our

> Oracle Applications instance, I however disagree.  Is there a good

> rule of thumb for who does and does not need sysadmin privs to the

> DB/Apps?  I need some ammo.




Besides what the others have said, you should explicitly delineate
between having godlike access for emergencies, "look around" access,
and general admin access.  Sounds like a job for roles, eh?  The first
should be handled by some sort of mechanism like having the sys*
passwords locked in a safe and an explicit method of contacting
someone who can get in, as part of a formal disaster recovery plan. 
The last should include backup personnel and explicit responsibilities
of everyone involved (this is where you CYA).  The "look around"
access is one of those things that is not handled too easily in the
Oracle security model, not because of any failing of Oracle, but as
you are perhaps finding out, it painfully delineates boundaries for
upper management.  What's the use of being the boss if you can't
access everything?  You might delicately point out to him that the
heads of departments that use the apps need to be assured that they
can have their privacy (whether true or not, hee hee) - this may
divert him into endless meetings about it, or may backfire into giving
him unfettered access when they can't agree.



Another tack, which may not be appropriate, is to establish yourself
as the top of the technical pecking order by demonstrating some magic
that is just beyond the ken of the manager, then giving him some
subset of what he wants.  This only works if you are indeed at a
technical level above him, _and_ he admits honestly to his limitations
(or if you are very Machiavellian).  It helps if you can present it so
that he is helping you do your job by shielding you from the political
BS, and you are helping him do his job with your technical expertise.




jg

--
@home.com is bogus.
http://www.signonsandiego.com/news/uniontrib/tue/currents/news_1c1pr.html


Received on Wed Jul 02 2003 - 15:52:14 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US