RE: How do you feel about allowing non-DBA's on your database servers?
- From: "Zelli, Brian" <Brian.Zelli@xxxxxxxxxxxxxxx>
- To: "'robertgfreeman@xxxxxxxxx'" <robertgfreeman@xxxxxxxxx>, Oracle L <oracle-l@xxxxxxxxxxxxx>
- Date: Mon, 27 Jul 2009 11:48:19 -0400
My current employer had allowed several individuals (programmers, system
analysts and even users) with access. They even had cluster manager and were
failing over boxes on their own. I am in the midst of controversy now as a
user had EM loaded on her pc from a vendor that I just found out about and I am
trying to get it removed.
But now we are implementing an audit and security policy(actually several),
that peels back all these permissions and allows only appropriate personnel
access, predominantly DBA's and SA's. If others need access, they have to
justify that access thru some lengthy forms that we now produce or we just say
"can't because of SOX or our auditors". This is causing much strife amongst
the staff because most are complaining that they can't do their job without
that access.
The second piece of our strategy and this is where the work falls on us is to
provide them with the appropriate access, limiting what they can do but not
limiting the function that they have to perform as part of their job. So if
that means alternate tools, special userids with different roles and privs,
than it falls to us to come up with that solution. anything, other than
complete access.......
ciao,
Brian
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Robert Freeman
Sent: Monday, July 27, 2009 11:31 AM
To: Oracle L
Subject: How do you feel about allowing non-DBA's on your database servers?
So, I've got a client that is being pressured by development and support types
to allow access to their database servers. They claim that it's so they can use
tools like ps, sar, topas, etc.... to monitor performance and deal with support
issues.
My position is that this is a huge risk and that I would want an very limited
population of users (read DBA's and SYSADMIN's only) to have access to these
servers.
Anyone have an opinion on this?
RF
Robert G. Freeman
Oracle ACE
Author:
Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY SOON!
OCP: Oracle Database 11g Administrator Certified Professional Study Guide
(Sybex)
Oracle Database 11g New Features (Oracle Press)
Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press)
Oracle9i RMAN Backup and Recovery (Oracle Press)
Oracle9i New Features (Oracle Press)
Other various titles out of print now...
Blog: http://robertgfreeman.blogspot.com
The LDS Church is looking for DBA's. You do have to be a Church member in
good standing. A lot of kind people write me, concerned I may be breaking
the law by saying you have to be a Church member. It's legal I promise! :-)
http://pages.sssnet.com/messndal/church/parachurch.pdf
This email message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee or
agent responsible for the delivery of this message to the intended
recipient(s), you are hereby notified that any disclosure, copying,
distribution, or use of this email message is prohibited. If you have received
this message in error, please notify the sender immediately by e-mail and
delete this email message from your computer. Thank you.
Other related posts:
