Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Back and a Question

Re: Back and a Question

From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Thu, 17 Aug 2006 20:50:58 +1000
Message-ID: <44E44A12.1000806@iinet.net.au> 





ryan_gaffuri_at_comcast.net wrote,on my timestamp of 16/08/2006 11:51 PM:



> if it doesn't state in SOX that developers can't have access to 

> production data, how do the auditors determine what is a violation?




Exactly.




> Not having access to PROD data is a real problem for ETL systems that 

> recieve external data feeds. You can have alot of validation checks when 

> you get the file, but you will never catch everything and sometimes you 

> get bad data. You need to people to check it.

>  

> I guess the other option is to 'promote' a developer to systems 

> administrator and put him on the production team so he can look at the 

> data?





Narh.  Knock-up a coupla screens in htmldb or other similar RAD tool,
let them access data through an application interface, using a
given uid and "canned" sql.  Audit every last breath of that id.



Last thing you want is a developer lose in a production system
with sqlplus or worse: sqlnavigator or some such development tool.



Or worse: an "educated" user with a tool like Toad or sqlnavigator:
what stops that user from taking the entire schema, sql and pl/sql
code and everything else easily available to their next job at
one of your competitors?  Ah yes: ethics?  Sure!...


-- 
Cheers
Nuno Souto
in sunny Sydney, Australia
dbvision_at_iinet.net.au
--
http://www.freelists.org/webpage/oracle-l


Received on Thu Aug 17 2006 - 05:50:58 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US