Re: Securing the database from the DBA

From: Joe <nospam_at_joekaz.net>
Date: 9 Apr 2004 15:14:49 -0700
Message-ID: <b9c56449.0404091414.371a7b20_at_posting.google.com>

Hans Forbrich <forbrich_at_yahoo.net> wrote in message news:<R8Adc.25679$J56.8600_at_edtnps89>...
> Joe wrote:
>
> > We're in the same situation - trying to address the concerns of
> > Sarbanes-Oxley and FDA 21CFR Part 11. Like you said, it's a catch-22,
> > that you can't truly secure the database from the people who are
> > responsible for maintaining it.
> >
>
> Dumb question - does the system need to be protected from the security
> group?

Systems need to be protected from anyone who should not have access to them. A security group probably only needs read-only access - access to the dictionary and audit trails, but not the application data.

> If not, then why not make the DBA a member of that group?

Separation of duties is one way of building checks and balances into the system. Having the DBA who maintains the database report into the security group (or the other way around) defeats that concept, so it's best to keep them as 2 distinct entities.

-- 
Joe
http://www.cafeshops.com/joekaz
http://www.joekaz.net/

Received on Sat Apr 10 2004 - 00:14:49 CEST

This message: [ Message body ]
Next message: Vissu: "locking sga"
Previous message: Marcelo: "Re: What's your compensation for carrying a pager???"
Maybe in reply to: Mike Ault: "Re: Securing the database from the DBA"
In reply to Hans Forbrich: "Re: Securing the database from the DBA"
Next in thread: sybrandb_at_yahoo.com: "Re: ORA-00911 in Dynamic SQL"
Reply: Hans Forbrich: "Re: Securing the database from the DBA"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message