RE: How do you feel about allowing non-DBA's on your database servers?

From: Zelli, Brian <Brian.Zelli_at_RoswellPark.org>
Date: Mon, 27 Jul 2009 11:48:19 -0400
Message-ID: <6B3493ABEE194842A8EFC3FC3B23DE6A107C8F8EF3_at_MSXMBCCR2.roswellpark.org>



My current employer had allowed several individuals (programmers, system analysts and even users) with access. They even had cluster manager and were failing over boxes on their own. I am in the midst of controversy now as a user had EM loaded on her pc from a vendor that I just found out about and I am trying to get it removed.

But now we are implementing an audit and security policy(actually several), that peels back all these permissions and allows only appropriate personnel access, predominantly DBA's and SA's. If others need access, they have to justify that access thru some lengthy forms that we now produce or we just say "can't because of SOX or our auditors". This is causing much strife amongst the staff because most are complaining that they can't do their job without that access.

The second piece of our strategy and this is where the work falls on us is to provide them with the appropriate access, limiting what they can do but not limiting the function that they have to perform as part of their job. So if that means alternate tools, special userids with different roles and privs, than it falls to us to come up with that solution. anything, other than complete access.......

ciao,
Brian



From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Robert Freeman Sent: Monday, July 27, 2009 11:31 AM
To: Oracle L
Subject: How do you feel about allowing non-DBA's on your database servers?

So, I've got a client that is being pressured by development and support types to allow access to their database servers. They claim that it's so they can use tools like ps, sar, topas, etc.... to monitor performance and deal with support issues.

My position is that this is a huge risk and that I would want an very limited population of users (read DBA's and SYSADMIN's only) to have access to these servers.

Anyone have an opinion on this?

RF

Robert G. Freeman
Oracle ACE
Author:
Oracle Database 11g RMAN Backup and Recovery (Oracle Press) - ON IT'S WAY SOON! OCP: Oracle Database 11g Administrator Certified Professional Study Guide (Sybex) Oracle Database 11g New Features (Oracle Press) Portable DBA: Oracle (Oracle Press)
Oracle Database 10g New Features (Oracle Press) Oracle9i RMAN Backup and Recovery (Oracle Press) Oracle9i New Features (Oracle Press)
Other various titles out of print now... Blog: http://robertgfreeman.blogspot.com The LDS Church is looking for DBA's. You do have to be a Church member in good standing. A lot of kind people write me, concerned I may be breaking the law by saying you have to be a Church member. It's legal I promise! :-) http://pages.sssnet.com/messndal/church/parachurch.pdf

This email message may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for the delivery of this message to the intended recipient(s), you are hereby notified that any disclosure, copying, distribution, or use of this email message is prohibited. If you have received this message in error, please notify the sender immediately by e-mail and delete this email message from your computer. Thank you.

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Jul 27 2009 - 10:48:19 CDT

Original text of this message