Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: update statement PL/SQL
Galen Boyer wrote:
> On Sat, 30 Apr 2005, damorgan_at_x.washington.edu wrote:
>
>
>>So if complying with federal law requires FGAC and FGA and other >>capabilities built into 9i and 10g so be it. If in the EU you don't >>have laws equivalent to SarbOx you have far less incentive to >>upgrade.
The issue here is a bit more complex. End users access databases via front-end tools so compliance relates to certifying the tool and auditing changes to the tool. Developers don't count because they are not allowed into production systems that are SarbOx compliant and if for some reason they do gain access it is fully audited which, of course, could be done in just about any version of Oracle.
The issue that causes the grief before 9i is the ability to audit the actions of DBAs. In any version of Oracle prior to 9i auditing a DBA logging in as SYS or INTERNAL is essentially impossible. If you can construct a method of auditing ... they can defeat it.
So it isn't about SQL*Plus vs. some other tool. It isn't even about the privileges one has when logging on. But rather about auditing and accountability. If any value is changed the C-level management can be criminally liable if they can't create an audit trail not all that different from a "chain-of-evidence" audit trail the police use when handling evidence in a criminal case.
Of course it is in your best interest to keep everyone and everything possible out of production as it minimizes risk. But it is not the access or the tool, in and of itself, that is the issue.
HTH
-- Daniel A. Morgan University of Washington damorgan_at_x.washington.edu (replace 'x' with 'u' to respond)Received on Sun May 01 2005 - 12:55:20 CDT