Re: Segregation of Duties - IT Team

milosnik.boczku_at_gmail.com wrote:
> Could you please help me to solve following problem? I am a newbe in
> word of databases / Oracle. What are the best practices in the SOD
> creation for IT Team for DB server? What (default) levels of IT Access
> are on avrage DB server? (superuser, backup operator, developer,
> else???). Who should have an access to production, dev, QA servers; who
> should not? What roles may be assigned to the 1 IT User to keep DB
> secured against accidental modification?
>
> Thanks a lot,
> MB

Only a single person should have administrative access to any production Oracle server with a backup that can fill in if they are unavailable when an incident is reported.

Developers and testers should not be let onto the same subnet.

The best additional protection against anyone getting in that doesn't belong there is AFTER LOGON triggers that report by immediate email to IT management any unauthorized access. The best solution to modifications being made is DDL triggers that prevent any DDL unless they are disabled ... also causing an email to be imediately sent to IT management.

All precautions though are worthless if management is not willing to resort to a lead pipe from time-to-time and throw policy violators out the door.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)