> Smith, Ron L. <[EMAIL PROTECTED]> wrote: > > We are being asked by Auditing to stop using the SYS, and SYSTEM > accounts. They would like for us to create an Oracle Role with the > same > permissions a SYS and SYSTEM, then grant the role to each of the > DBA's. > Don't ask me why. Nothing is being audited in 99% of the databases. > They just say it in a paper some where so they said we shouldn't use > it. > This seems like it would cause lots of problems with exports, > imports, > installs, etc... Has anyone had to deal with this type of request? > Any > potential problems with making the change? >
Quite a few potential problems. This is typical security jackass kneejerk reaction, pure and simple. A DBA needs DBA access to the system. Oracle provides this via SYS and SYSTEM. Period. The rest is just hazy, unprovable, half-cooked "security" bullshit from people who read this and that everywhere and are by default considered experts by even less competent damagement. Granting all rights of user SYS and SYSTEM to a role and then granting that role to a DBA user reeks of sheer stupidity. If the issue is auditing, then use auditing. That's what it's there for. If the issue is use of DBA access, then get rid of the DBAs. (see how long that lasts...). This sort of thing reminds me of the time I used to work at a very secure site back in the early 90s. Where we had to request a security officer to give us the password for SYS and SYSTEM in order to do our job. The officer changed the password before passing it on to us verbally. He then proceeded to watch us type on the screen, then watched us log out and then changed the password again on the spot. Very secure, very procedural, very formal. Except the officer was not a DBA, knew zilch about SQL and couldn't discern if we were copying the entire main accounts table to a non-secure area if his life depended on it. Great security! No wonder it got exposed a few years later in a well known incident. The issue of course is that what these people needed was auditing, not security. But try as we might, we could not make their "experts" understand the diff... Cheers Nuno Souto [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Nuno Pinto do Souto INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
