Re: limited DBA privileges

• From: "Stefan Knecht" <knecht.stefan@xxxxxxxxx>
• To: "Niall Litchfield" <niall.litchfield@xxxxxxxxx>
• Date: Wed, 30 Apr 2008 23:26:55 +0200

Niall

What I meant was once it's set up to protect a certain schema or whatever,
no Oracle knowledge is required to add new users to a realm. All you really
need to know is "this is what protects your sensitive data and this is the
list of users that have access to it". And with a few clicks (urks I sound
like someone who likes GUIs) you can change those users.

Of course the whole configuration that needs to take place can't be done
without an intimate knowledge of how Oracle works. That however can be done
by a DBA, and monitored / verified by a 3rd party who will then transfer the
"password" to someone outside the DBA team.

Mind you some environments that change very frequently might be an exception
to this, but it works for  the ones I've done so far, where realms don't
change after initial creation, only new users get added or removed from
realms.

Cheers

Stefan

PS Also disregarding the potential "workarounds" a DBA could perform to gain
access ;-)



On Wed, Apr 30, 2008 at 10:59 PM, Niall Litchfield <
niall.litchfield@xxxxxxxxx> wrote:

> On Wed, Apr 30, 2008 at 6:27 PM, Stefan Knecht <knecht.stefan@xxxxxxxxx>
> wrote:
>
> > You don't necessarily need someone with a lot of Oracle skills to be the
> > "guy in charge" of who can see what data. Database vault comes with a GUI
> > that is rather easy to use, and can be used by virtually anyone to enable /
> > disable access to certain tables, once a the groundworks have been laid and
> > the setup is complete.
> >
> You *will* need someone who understands what a schema is, what the
> difference between ALTER TABLE and ALTER VIEW for example, who understands
> what the schema objects are and what the columns are, can write a bit of
> PL/SQL to create factor functions if necessary and so on.
>
> My core point though is that whoever the dv admin is, they shouldn't be in
> the same reporting line as the IT team. They should really be in the
> "Business" but they do need to have a working knowledge of Oracle server
> technology. Allowing the DBA or similar to setup dv would be a somewhat
> fatal breach of the idea. I agree with the version recommendation though
> (11g would be as good or better).
>
> cheers
>
> Niall
>
> >
> >
> > --
> > Niall Litchfield
> > Oracle DBA
> > http://www.orawin.info
>
>


-- 
=========================

Stefan P Knecht
Senior Consultant
Infrastructure Managed Services

Trivadis AG
Europa-Strasse 5
CH-8152 Glattbrugg

Phone +41-44-808 70 20
Fax +41-808 70 12
Mobile +41-79-571 36 27
stefan.knecht@xxxxxxxxxxxx
http://www.trivadis.com

OCP 9i/10g SCSA SCNA
=========================

• References:
  • limited DBA privileges
    • From: Cochran, Mark
  • Re: limited DBA privileges
    • From: Stefan Knecht
  • Re: limited DBA privileges
    • From: Niall Litchfield

Other related posts:

• » limited DBA privileges
• » Re: limited DBA privileges
• » Re: limited DBA privileges
• » Re: limited DBA privileges
• » RE: limited DBA privileges
• » RE: limited DBA privileges
• » Re: limited DBA privileges
• » Re: limited DBA privileges
• » Re: limited DBA privileges
• » Re: limited DBA privileges

1. Home
2. oracle-l
3. Archive
4. 04-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---