Puzzle 1 - For a Banking Application, for certain V.I.P. Accounts (translating to respective rows in a set of Tables), the general Staff should NOT be able to View the respective Account info. But Bank-wide summation reports fired by the same staff should consider the Data from the VIP Accounts too.
Puzzle 2 Additionally DBAs also should also NOT be able to see the above data.
1. Use a pair of views. The first view (used for regular queries and possibly updates/inserts) has a where clause that excludes VIP rows so all the users will see are the rows they're allowed to see. The second view (or views if you want to do different sorts of summation) doesn't have the where clause but does the summations so the user cannot get to the underlying data through it, they will only see the summarised data. Grant the users access to the views but not the underlying tables. If you want to be really paranoid then make the views based on functions (using the table() function) and crate functions to handle insert/update/delete of rows (effectively doing OO style encapsulation).
Obviously this assumes that you can write/change the app to use the views and functions.
2. This tells me that you're not paying your DBAs nearly enough (if you were then they'd be too well paid to consider doing anything naughty with their accessd to your data) and you distrust your hiring practices (why do you suspect you're hiring moral degenerates), auditing (don't you know what they're doing) or both. There have to be people who have ultimate access to the system because there are somethings that need that level of access and have to be done. If it's not the DBAs then it'll be the sytem administrators or the application administrators or even the person who takes the DR backup tapes to offsite storage.
The only leakage of data from any organisation I've worked for was down to the collusion between the data centre manager and the guy who drove the van that carried the tapes between datacentres.
Stephen -- It's better to ask a silly question than to make a silly assumption.
'nohup cd /; rm -rf * > /dev/null 2>&1 &' (There's a strong arguement for the belief that running a command without first knowing what it does is 'Darwin in action')