RE: How do you audit a DBA?

There is an administrator account, but individual users can configure access control lists on their files (right-click, properties, security) that would prevent the administrator from reading them. The only way that an administrator could then read them would be to "take ownership" first. Unlike Unix, ownership of a file is taken rather than given, so even if an Administrator read a confidential file, the OS would not let then erase traces of having done so. If you wanted to steal a file, you could obviously back it up to tape (if you have the Backup Operator role) restore it to another system, take ownership there and read it
(unless it was encrypted of course) but there's only so much an OS can
do about physical security.

The point is, you only need one, single trusted person to hold the administrator account (someone from your audit firm, for example) and almost everything can be done by sub-administrators who only have the precise permissions they need and no more. In theory, anyway :0)

g

-----Original Message-----
Sent: Thursday, September 06, 2001 2:41 PM To: Multiple recipients of list ORACLE-L

but doesn't there have to be ONE account/role in NT that can assign all the
others? how else could you set up a role or continue to set them up?

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Guy Hammond
  INET: guy.hammond_at_avt.co.uk

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).