Re: How do you feel about allowing non-DBA's on your database servers?

• From: Jonathan Intner <jsidba@xxxxxxxxx>
• To: robertgfreeman@xxxxxxxxx
• Date: Mon, 27 Jul 2009 19:01:22 -0400

Hi Robert:
As many folks have already said, this is an age-old debate.  As has also
been commented, there are SOX implications (also, PCI, GxP and other TLAs,
assuming you are subject to them).

My biggest comment would be: it is far easier to crack into an Oracle
database from the database server than from a client on the network.  Also,
far more information is easily accessible, sometimes too easily accessible (ps
-ef|grep plu anyone? :) from the database server.

You probably know this already (given the high quality of your other posts
:), but I hope you don't my saying it anyway: it becomes a cost-benefit
analysis of the benefits of granting access (ability for whomever is asking
to examine the performance behavior of the server) against the risks
(cracking into the database, causing other damage whether intentionally or
unintentionally, etc).

Do they (really) need "at will" access to the database server?  Maybe the
access can be controlled in some way, like via a product that gives them a
temporary password for an OS user to logon to the database server, but this
access has a pre-determined time limit and/or they have to document the
reason they requested access (this works nicely for many SOX situations --
controlled access is often allowed, where at will is not).

Jonathan

On Mon, Jul 27, 2009 at 11:31 AM, Robert Freeman
<robertgfreeman@xxxxxxxxx>wrote:

> So, I've got a client that is being pressured by development and support
> types to allow access to their database servers. They claim that it's so
> they can use tools like ps, sar, topas, etc.... to monitor performance and
> deal with support issues.
>
> My position is that this is a huge risk and that I would want an very
> limited population of users (read DBA's and SYSADMIN's only) to have access
> to these servers.
>
> Anyone have an opinion on this?
>
> RF
>
>
> Robert G. Freeman
> Oracle ACE
> Author:
> Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY
> SOON!
> OCP: Oracle Database 11g Administrator Certified Professional Study Guide
> (Sybex)
> Oracle Database 11g New Features (Oracle Press)
> Portable DBA: Oracle (Oracle Press)
> Oracle Database 10g New Features (Oracle Press)
> Oracle9i RMAN Backup and Recovery (Oracle Press)
> Oracle9i New Features (Oracle Press)
> Other various titles out of print now...
> Blog: http://robertgfreeman.blogspot.com
> The LDS Church is looking for DBA's. You do have to be a Church member in
> good standing. A lot of kind people write me, concerned I may be breaking
> the law by saying you have to be a Church member. It's legal I promise! :-)
> http://pages.sssnet.com/messndal/church/parachurch.pdf
>
>

• References:
  • Downgrading to Standard Edition
    • From: Schauss, R. Peter (IT Solutions)
  • Re: Downgrading to Standard Edition
    • From: Mathias Magnusson
  • How do you feel about allowing non-DBA's on your database servers?
    • From: Robert Freeman

Other related posts:

• » How do you feel about allowing non-DBA's on your database servers?- Robert Freeman
• » RE: How do you feel about allowing non-DBA's on your database servers?- SHEEHAN, JEREMY
• » Re: How do you feel about allowing non-DBA's on your database servers?- Andrew Kerber
• » Re: How do you feel about allowing non-DBA's on your database servers?- Janine Sisk
• » RE: How do you feel about allowing non-DBA's on your database servers?- Zelli, Brian
• » RE: How do you feel about allowing non-DBA's on your database servers?- Clarke, Andrew
• » Re: How do you feel about allowing non-DBA's on your database servers?- David Barbour
• » Re: How do you feel about allowing non-DBA's on your database servers?- Joey D'Antoni
• » RE: How do you feel about allowing non-DBA's on your database servers?- Roberts, David (GSD - UK)
• » RE: How do you feel about allowing non-DBA's on your database servers?- Michael . Coll-Barth
• » Re: How do you feel about allowing non-DBA's on your database servers?- Michael Moore
• » RE: How do you feel about allowing non-DBA's on your database servers?- Joel.Patterson
• » Re: How do you feel about allowing non-DBA's on your database servers?- Rich Jesse
• » Re: How do you feel about allowing non-DBA's on your database servers?- Martin Berger
• » Re: How do you feel about allowing non-DBA's on your database servers?- dave
• » Re: How do you feel about allowing non-DBA's on your database servers?- Michael Moore
• » Re: How do you feel about allowing non-DBA's on your database servers? - Jonathan Intner
• » Re: How do you feel about allowing non-DBA's on your database servers?- Subodh Deshpande
• » Re: How do you feel about allowing non-DBA's on your database servers?- Nuno Souto
• » RE: How do you feel about allowing non-DBA's on your database servers?- Johnson, George
• » RE: How do you feel about allowing non-DBA's on your database servers?- Michael . Coll-Barth
• » Re: How do you feel about allowing non-DBA's on your database servers?- Subodh Deshpande
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jared Still
• » Re: How do you feel about allowing non-DBA's on your database servers?- Rich Jesse
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jared Still
• » Re: How do you feel about allowing non-DBA's on your database servers?- Niall Litchfield
• » Re: How do you feel about allowing non-DBA's on your database servers?- Tony van Lingen
• » Re: How do you feel about allowing non-DBA's on your database servers?- Jonathan Intner

1. Home
2. oracle-l
3. Archive
4. 07-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---