Re: Need DBA advices on creating a new user, application level or DBA level?

From: tstrah <tstrah_at_tteklogix.com>
Date: 2000/08/02
Message-ID: <398841e0$1_at_10.32.1.3>#1/1

[Quoted] No, the app should not do it. A person should always be directly responsible. Depending on the app, you are exposing the DB/company to unnecessary security risks, e.g. giving out a DBA password to non DBAs or hardcoring it into scripts/programs.
Of course, I'm biased because I'm a DBA too. Regards
Tim

"Jimmy" <anonymous_at_anonymous.com> wrote in message news:398904FD.FA8C195E_at_anonymous.com...
> Hello all,
>
> Recently, my company wants to develop an application. One of the
> functions of the application is it can create a new user. This function
> can only be done by a project owner, such as PROJECTA_OWNER.
> PROJECTA_OWNER is not a DBA, he is just a project owner with some system
> privileges (such as create user).
>
> However, my company's DBA strongly disagree this function. He said
> that creating a new user should be done by DBA, not on application
> level. This is because using a client application to create a user may
> bypass his vision, as a result, he don't know why such a user exist
> after the application is running (since anyone who knows the
> PROJECTA_OWNER password can create a new user). He think that it is more
> difficult to manage the user accounts in the future.
>
> Now, I have some questions:
>
> 1) What do u think the above scenario? Should user creation done by
> DBA, or done on application level? ANy other disadvantages if done on
> application level?
>
> 2) I know that if done on application level, PROJECTA_OWNER need to
> alter some user parameters (e.g. default and temporary tablespace etc).
> However, such parameters may need to be hardcoded. This is not a good
> practice since we need to recompile the program if the tablespace name
> is changed to another name. Is there other ways to handle such
> situation? (I think using a PL/SQL procedure to create a new user, and
> the application is calling this procedure. This procedure is written by
> DBA. In this way, DBA can change this procedure without affect the
> application. Am I right)
>
> Any suggestions?
>
> Thanks,
> David
>
Received on Wed Aug 02 2000 - 00:00:00 CEST

This message: [ Message body ]
Next message: Doug Manney: "Re: Need DBA advices on creating a new user, application level or DBA level?"
Previous message: C. Ferguson: "Re: Need DBA advices on creating a new user, application level or DBA level?"
In reply to Jimmy: "Need DBA advices on creating a new user, application level or DBA level?"
Next in thread: Michael J. Moore: "Re: Need DBA advices on creating a new user, application level or DBA level?"
Reply: Doug Manney: "Re: Need DBA advices on creating a new user, application level or DBA level?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message