RE: Suggestions for controlling SYSDBA / DBA privileges ?
- From: "David Wendelken" <davewendelken@xxxxxxxxxxxxx>
- To: "'Oracle-L'" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 3 Aug 2005 15:10:43 -0400
Here are some options:
1) Hire double the number of DBAs, so one can watch what the other one is up
to. Each only knows 1/2 of each system password, with copies locked up and
sealed in a safe.
Enjoy watching them squirm at the thought of that expense. :)
2) Use existing financial reports to catch issues. Saved Hard-copies of
appropriate transaction summary reports would make post-facto changes to the
database very easy to catch. The transaction totals by account by
time-period wouldn't match. Of course, that's work for business staffers,
not techies. Not unbreakable, but makes it harder to pull off.
3) A stand-alone PC that the sys-admins don't have access rights to, which
is properly secured from unauthorized physical access, could also store
check-sums for a more automated verification that things are as they should
be. Again, not unbreakable, but harder to pull off.
4) Get over it. That's life in the big city. Hire *quality* people and pay
them appropriately. Remind them that CEOs and CFOs have been stealing the
money recently, not DBAs. :)
>
>How do you respond to Managements that are "very concerned"
>after Auditors
>(the SarbOx type)
>tell them "the DBA has unrestricted privilege on all data in
>the database".
>
--
//www.freelists.org/webpage/oracle-l
Other related posts:
