This content has been marked as final. Show 2 replies
please keep in mind if a DBA uses the schema_1 to login, then there's no longer any way to distinguish the DBA from that user,
part of Database Vault security is strict separation of duties: the DBA should not also have access to the <DV_ACCTMGR>
account that would be necessary to reset the schema_1 password with the alter user statement.
Otherwise FGA can work in a Database Vault environment, I did a quick test and it is possible for the schema_1 user to add
an FGA policy if there is execute privilege on dbms_fga, this means a protected application schema (separate DBA) has
the possibility to add FGA policies to the application tables independently, the resulting audit records, however will still go to SYS.FGA_LOG$.
If you want to share your experiences with your peers in the industry and also get their feedback you may consider
to post your (future) question in the Support Communities at :
(this will land you in the security area, but there are many others for several product areas)
Naturally these communities are also monitored by Oracle and we will try to answer any questions also from our perspective,
Harm ten Napel
Can we somehow restrict a sys and system user from accessing tables of a particular schema? They should be able to read the tables but cannot alter the data in any way? I know data vault is one option but without buying data vault how can we get this kind of security from insider threats?
I tried to alter the privileges provided to dba role by revoking delete,update,insert any table privileges from the oracle provided role .
revoke delete any table from dba
It got executed also. However when i logged in from sytem user and tried to delete rows from tables in any schema it still worked. Not only this it also worked for any other users who had dba roles.
Can we somewho create a new role new_dba with all the privileges of dba role except access to a particular schema objects and then assign this new role to sys and system user and revoke the original dba role so that they can't access some sensitive information? Please let me know if this sounds feasible.