To expand on and clarify Melvin's point... Yes, certainly, it's a really good idea to have separate named accounts for DBAs, just like it's a good idea to have separate named accounts for workstation logins, Domain Admins, Exchange Admins, etc.
It's not just a security issue, it's a management issue - paychecks aren't issued to "Anonymous DBA", you issue them to Susie DBA or Joe DBA. After all, if you can't measure what people have done, or hold them accountable or reward them for their actions, you can't really say you're managing them. OTOH, if you're a $5m company, and each DBA license costs $200k, well, you might need another approach. Kurt On Tue, Dec 5, 2017 at 10:03 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > Personal experience leads me to believe that this attitude is primarily > based on the sometimes oppressive historic licensing practices surrounding > many database products which increase the cost of licenses based on the > number of named users, thereby encouraging cost reduction at the expense of > security. I have no empirical evidence of this, strictly an observation > based my dealing with many DBAs over the years, many of whom seem to have > succumbed to the same brainwashing. > > > > If you can’t track who specifically did any particular operation then that > operation is inherently less secure. That may not mean it needs to be fixed > in all cases. Do you really need a $200 lock to protect your $20 bicycle? > Probably not, but your $5000 racing bike is probably worth the investment. > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > ¯\_(ツ)_/¯ > > > > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Tom Miller > Sent: Tuesday, December 5, 2017 12:11 PM > To: NTSysADM@lists.myitforum.com > Subject: [NTSysADM] DBA question > > > > Hi All, > > > > I have a question regarding Oracle DBA database level access. > > > > The DBA lead where I work states that it is nonsensical for individual DBAs > to use a name DBA-admin account for them. This is a potential issue: we > are dealing with highly sensitive data and even within the DBA staff group, > we want to restrict access, if possible. We use logging, but triggering an > access to particular tables would not be too helpful, as it would only tell > us that the DBA account access them. > > > > Anyone have any thoughts or suggestions? > > > > Thanks, > > Tom
