Re: security against dba´s

[rohnskii () gmail com]

As Brian said, it is definitely dependent on the specific DB application you are using.

Why specifically do you want to restrict that access?

DBA's typically have "god-like" access so it would be hard to restrict them from accessing data.  They need it to do 
their work.  Given that, what you definitely want to do is to make sure that each person, including the DBA's have 
unique userids and turn on logging so you know what actions every Id does.

Another option to consider is to not grant the DBA rights to their userids.  Instead restrict the DBA specific access 
rights to batch processes.  So if the DBA want's to create a table, he generates the DDL, then submits it to the system 
to create the table.  It should work, but it will really hamper their productivity.  They will be excluded from using 
many of the interactive toolsets.

But when I was working as a DBA I, a significant portion of my job was dealing with data specific issues that I 
wouldn't have been able to deal with for the clients/users/data owners.

The ROT (Rule of Thumb) in our shop was:

"DBA owns the data structure, Users own the data".  

Meaning that DBA had complete control over the structure/design of the DB (tables, indexes, triggers etc).  They told 
us what data they wanted to store, we decided how best to store it.  The users had complete control over the data 
stored in the DB.  DBA was NOT allowed to delete or modify production data without explicit data owner 
permission/request.  This was backed up by access logging that DBA did not have update access to.