not sure it's possible. System admins can su to the account that owns the oracle binaries, which can then (usually) do sqlplus / as sysdba. Voila! I am now god within the database. there is no way to prevent this. But you CAN do keystroke logging of all access to these accounts, then have the logs sent to a security officer who reviews them. Nowhere near perfect but at least there's some sort of control On Sat, 19 Feb 2005 13:21:03 -0700, Chip Briggs <chip.briggs@xxxxxxxxx> wrote: > Earlier this week, SarBox auditors wanted proof that DBA's > could not change database stored procedures (which would > prevent DBA's from applying vendor patches for vendor > supplied stored procedures). Also presents a problem since > DBA's managed stored procedure configuration. SarBox > auditors do not like DBA privileged access to application data. > Looks like these auditors do not trust anyone and want duties > segregated so no single person has the ability to cook any > books (complete prevention for Enron repeat). > > Any ideas how to prevent execution of non-production code > against production data, whether the data resides in a > database or operating system files (unix and windows) ? > > Have Fun :) > -- > //www.freelists.org/webpage/oracle-l > -- //www.freelists.org/webpage/oracle-l