Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Need to protect table from Sysdba

Re: Need to protect table from Sysdba

From: Jagjeet Singh <>
Date: Thu, 02 Aug 2007 23:51:35 -0700
Message-ID: <>

Thanks to all of you for your suggestion.

Igore - Thank you for your post. We are already thinking this, however we are trying to convince them but still they are asking to search for workaround if possible.

The tasks like startup/shutdown/patching we need to have sysdba access. we suggest them to create diff. os account and not to put this os dba group. then we can create "/" user and make it DBA.

We have already implemented the FGAC which is working for DBAs but not for sysdba. And for startup/shutdown
we can use scripts. the only issue is when we would be doing recovery or apply patch or migration/upgradation
for which we need to have sysdba access.

I would like to ask Sybrand, can ols + data vault really lock SYSDBA account ?
Actually I have expression that OLS is built upon FGAC and FGAC policy does not work for SYSDBA.

Jagjeet Singh

On Aug 3, 6:43 am, wrote:
> On Aug 3, 6:19 am, Jagjeet Singh <> wrote:
> > Hi ,
> > This sounds a diff. type of requirement, But we want to implement
> > this. Our client wants us
> > to manage the database but do not want to see the data on some tables.
> > We can not implement dbms_obfuscation_toolkit as it would be required
> > to change in application
> > TDE is available only in 10g, but we have 8i,9i instances.
> It's not possible, at least with Oracle-only software. Not sure about
> third-party solutions which may exist.
> > Any other suggestion . ..
> With your restrictions it's not possible to do unless you change the
> way you manage your databases. You need to split DBA privileges into
> two parts and give the halfs to different people.
> Consider this:
> - split traditional DBA group into independent security group (DSA)
> and database management group (DBA)
> - only security group can grant any privileges in the databases, don't
> have full "DBA" role and OS oracle access
> - only DBA can manage tablespaces, datafiles etc, don't have full
> "DBA" role, access to OS oracle with logging
> - neither security nor DBA have select on apps tables
> - SYS/SYSTEM accounts are locked, DSA and DBA use personal accounts
> - all actions in DSA/DBA personal accounts are audited by other group
> - all actions in OS oracle account are logged, logs are reviewed by
> security (or better yet the third group) and compared with the stated
> purpose of session
> - review backup procedures to introduce encryption and ensure DSA/DBA
> don't have access to backups.
> In short, divide and audit. That's a lot of overhead, I can assure
> you, but this can't be done with software only anyway. Even with Vault
> you still need to make administrative changes.
> Regards,
> Igor
Received on Fri Aug 03 2007 - 01:51:35 CDT

Original text of this message