Re: Dormant database user accounts

• From: MARK BRINSMEAD <mark.brinsmead@xxxxxxxxx>
• To: Niall Litchfield <niall.litchfield@xxxxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
• Date: Mon, 16 Mar 2015 12:47:38 -0400

Indeed.

Checking your "infosec" policies first would be an excellent idea.

An excellent (and not entirely uncommon) policy is that "*user accounts may
never be deleted*" -- or, perhaps more properly "*userids may never be
reused*".  They're not the same thing, but in Oracle, probably not too far
off.

Lots of sites do AUDITING.  Those who do feel a perverse need to attribute
audited actions to specific individuals.  When accounts get deleted, or
worse, userids are reused, the attributions in the audit data will probably
stop working properly -- you either lose track of to whom to attribute an
action, or you attribute it to the wrong person.

There's a fair-to-middling chance that your security officer would prefer
the you keep dormant accounts *locked* and *expired* (and keep them that
way indefinitely), rather than deleting them.

Even if there *aren't* already policies like this in place, perhaps there
should be.  You might be doing people a favour by suggesting it before you
start deleting old accounts.


On Mon, Mar 16, 2015 at 10:08 AM, Niall Litchfield <
niall.litchfield@xxxxxxxxx> wrote:

> You might well already have policies on this, and I'd definitely want to
> match your infosec requirements rather than present them with a fait
> accompli. I'd add a couple of things that haven't been touched on so far.
>
>    1. You need to make arrangements to catch the replies to the emails so
>    you'll need to make sure any mail sent to the reply-to address gets to the
>    right people and doesn't, for example, end up in the same place as all your
>    EM notifications.
>    2. No-one seems to have remarked that it is really not at all unusual
>    for people to be validly away from work for more than 3 months and that you
>    probably don't want to delete such accounts, though you may well wish to
>    lock them early.
>
>
> ...

• Follow-Ups:
  • RE: Dormant database user accounts
    • From: Leroy Kemnitz
  • Re: Dormant database user accounts
    • From: MacGregor, Ian A.

• References:
  • Dormant database user accounts
    • From: Leroy Kemnitz
  • Re: Dormant database user accounts
    • From: Andrew Kerber
  • RE: Dormant database user accounts
    • From: Powell, Mark
  • Re: Dormant database user accounts
    • From: Marcos Colmenares H.
  • Re: Dormant database user accounts
    • From: Jithin Sarath
  • RE: Dormant database user accounts
    • From: Leroy Kemnitz
  • Re: Dormant database user accounts
    • From: Niall Litchfield

Other related posts:

• » Dormant database user accounts- Leroy Kemnitz
• » Re: Dormant database user accounts- Andrew Kerber
• » RE: Dormant database user accounts- Powell, Mark
• » Re: Dormant database user accounts- Marcos Colmenares H.
• » Re: Dormant database user accounts- Jithin Sarath
• » Re: Dormant database user accounts- Mladen Gogala
• » Re: Dormant database user accounts- Hans Forbrich
• » Re: Dormant database user accounts- Mladen Gogala
• » RE: Dormant database user accounts- Leroy Kemnitz
• » Re: Dormant database user accounts- Niall Litchfield
• » Re: Dormant database user accounts- Hans Forbrich
• » Re: Dormant database user accounts- Tim Gorman
• » Re: Dormant database user accounts- Tim Gorman
• » Re: Dormant database user accounts - MARK BRINSMEAD
• » RE: Dormant database user accounts- Leroy Kemnitz
• » Re: Dormant database user accounts- MacGregor, Ian A.
• » Re: Dormant database user accounts- MARK BRINSMEAD
• » RE: Dormant database user accounts- Yong Huang
• » Re: Dormant database user accounts- Tim Gorman

1. Home
2. oracle-l
3. Archive
4. 03-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---