3 Replies Latest reply: Jun 21, 2013 7:24 AM by Brian Bontrager RSS

    how to share dba resonsibilities

    sonidba

      Hi great people,

       

      I do have a doubt. It is always said that a sysdba responsibilities should be shared among multiple users. This is recommended to restrict all the administrative privileges to a single user. If we grant sysdba privilege to any normal user , he will again become super user.  I have two question here.

       

      1. What will be the benefit of granting sysdba to a normal user. I dont think that it is going to be secure any way. your views are always welcome.

      2. How can  dba  responsibilities be shared among multiple users?

      I think this can be one of the way for my second question:

       

      First, create normal user and grant some administrative  privilege to him. Like wise, we may have other normal users and grant different administrative  privilege to them. But do not grant sysdba to them.

       

      Or, is there any other way to do the second question. Oracle database vault can be other way. I want to know whether there is any solution without database vault. Or, what I mention above will work.

       

      Thanks

        • 1. Re: how to share dba resonsibilities
          DK2010

          Hi

          1. What will be the benefit of granting sysdba to a normal user. I dont think that it is going to be secure any way. your views are always welcome.

          2. How can  dba  responsibilities be shared among multiple users?

          Why you want to grant sysdba to normal user, as you said it not secure.. thats correct..

          What normal users daily activity on the database,  which required sysdba privilege ?

           

          First, create normal user and grant some administrative  privilege to him. Like wise, we may have other normal users and grant different administrative  privilege to them. But do not grant sysdba to them.

          It make sense, or you can create some role with grants and provide that role to selective users.

           

          HTH

          • 2. Re: how to share dba resonsibilities
            sonidba

            One more question.

             

            If I grant sysdba to an OS user say, user1. Then that user can log in as sysdba. Are there any sysdba privileges that he can not enjoy. Or, user1 would be able to enjoy all the privilege that sys user can enjoy.

             

            Thanks for reply.

            • 3. Re: how to share dba resonsibilities
              Brian Bontrager

              sysdba is essentially "root" access within the database.  If you give it to someone they can do anything, including shut down the database or modify system packages. 

               

               

              Granting system privileges via roles is the appropriate action.  You give each user the least privileges needed - just enough to do what they need to.

               

               

              Where I work there is a separation of "System DBA" and "Application DBA".  Application DBAs cannot issue ALTER SYSTEM or ALTER USER but are given access to a package written in-house that includes procedures to do specific things like kill sessions or change a user's default tablespace or password.  Those procedures are written to execute the ALTER USER "behind the scenes", but limit what can be passed to it.  This allows certain actions to be performed by an Application DBA without granting the full DBA role.