Re: Dormant database user accounts
- From: MARK BRINSMEAD <mark.brinsmead@xxxxxxxxx>
- To: Leroy Kemnitz <lkemnitz@xxxxxxxx>
- Date: Mon, 16 Mar 2015 13:18:34 -0400
Cool.
Then just as a suggestion, you might want to consider the "lock and expire
indefinitely" approach, as an alternative to deleting accounts. It may
offer good "future proofing", if nothing else. When somebody comes along
with stringent auditing requirements you will already be equipped.
This also avoids nightmare scenarios like the one recently described by Tim
Gorman, where dropping an "unused" account can have horrible and unforeseen
consequences. (Note: you can get into equal trouble when an account
contains critical PL/SQL stored code -- and checking your AWR history for
logical reads won't help with that.)
Anyway, it's just a thought, of course.
Some people would look as this suggestion as "FUD" -- but it would not be
the first time I have encountered people who have confused "FUD" and
"foresight". :-)
Cheers!
On Mon, Mar 16, 2015 at 12:56 PM, Leroy Kemnitz <lkemnitz@xxxxxxxx> wrote:
> Mark and Nail,
>
>
>
> Currently, we have no policy concerning this issue. I am attempting to
> ‘create’ or ‘suggest’ a policy that works from the database security
> viewpoint. We currently have a need for a lot of various kinds of policies
> concerning the databases. This is a starting point.
>
>
>
>
>
> LeRoy
>
>
>
Other related posts:
