| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Need to protect table from Sysdba
On Aug 3, 6:19 am, Jagjeet Singh <jagjeet.ma..._at_gmail.com> wrote:
> Hi ,
>
> This sounds a diff. type of requirement, But we want to implement
> this. Our client wants us
> to manage the database but do not want to see the data on some tables.
>
> We can not implement dbms_obfuscation_toolkit as it would be required
> to change in application
> TDE is available only in 10g, but we have 8i,9i instances.
It's not possible, at least with Oracle-only software. Not sure about third-party solutions which may exist.
> Any other suggestion . ..
With your restrictions it's not possible to do unless you change the way you manage your databases. You need to split DBA privileges into two parts and give the halfs to different people.
Consider this:
- split traditional DBA group into independent security group (DSA)
and database management group (DBA)
- only security group can grant any privileges in the databases, don't
have full "DBA" role and OS oracle access
- only DBA can manage tablespaces, datafiles etc, don't have full
"DBA" role, access to OS oracle with logging
- neither security nor DBA have select on apps tables - SYS/SYSTEM accounts are locked, DSA and DBA use personal accounts - all actions in DSA/DBA personal accounts are audited by other group - all actions in OS oracle account are logged, logs are reviewed bysecurity (or better yet the third group) and compared with the stated purpose of session
In short, divide and audit. That's a lot of overhead, I can assure you, but this can't be done with software only anyway. Even with Vault you still need to make administrative changes.
Regards,
Igor
Received on Thu Aug 02 2007 - 20:43:17 CDT
 |
 |