Security Basics mailing list archives
Re: security against dba´s
From: rohnskii () gmail com
Date: Tue, 10 Feb 2009 17:39:08 -0700
As Brian said, it is definitely dependent on the specific DB application you are using. Why specifically do you want to restrict that access? DBA's typically have "god-like" access so it would be hard to restrict them from accessing data. They need it to do their work. Given that, what you definitely want to do is to make sure that each person, including the DBA's have unique userids and turn on logging so you know what actions every Id does. Another option to consider is to not grant the DBA rights to their userids. Instead restrict the DBA specific access rights to batch processes. So if the DBA want's to create a table, he generates the DDL, then submits it to the system to create the table. It should work, but it will really hamper their productivity. They will be excluded from using many of the interactive toolsets. But when I was working as a DBA I, a significant portion of my job was dealing with data specific issues that I wouldn't have been able to deal with for the clients/users/data owners. The ROT (Rule of Thumb) in our shop was: "DBA owns the data structure, Users own the data". Meaning that DBA had complete control over the structure/design of the DB (tables, indexes, triggers etc). They told us what data they wanted to store, we decided how best to store it. The users had complete control over the data stored in the DB. DBA was NOT allowed to delete or modify production data without explicit data owner permission/request. This was backed up by access logging that DBA did not have update access to.
Current thread:
- Re: security against dba´s rohnskii (Feb 11)
- <Possible follow-ups>
- Re: security against dba´s dan . crowley (Feb 11)
- Re: security against dba´s Andre Rodrigues (Feb 12)
- Re: security against dba´s rohnskii (Feb 11)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- RE: security against dba´s Scott Richardson (Feb 12)
- RE: security against dba´s Nick Vaernhoej (Feb 12)
- Re: security against dba?s Ansgar Wiechers (Feb 12)
- Re: security against dba?s Ray Van Dolson (Feb 12)
- Message not available
- Re: security against dba?s Ray Van Dolson (Feb 13)
- RE: security against dba?s Nick Vaernhoej (Feb 13)
- RE: security against dba´s Nick Vaernhoej (Feb 12)