This discussion is archived
4 Replies Latest reply: Nov 29, 2012 10:54 AM by 976232 RSS

Restrict dba from reading data

976232 Newbie
Currently Being Moderated
Hi gurus,

I would like to know how to restrict dba from reading sensitive data using Database Vault. I read that it can be done but I don't know how.

Thanks,
Peter
  • 1. Re: Restrict dba from reading data
    Zoran Pavlovic Explorer
    Currently Being Moderated
    You can restrict anyone with strong privileges (even sys user), to select data by creating a realm "around" objects that you want to protect (it can be schema, table etc.). You just need to create a realm in dva, and as protected objects, you should select what you want to protect.

    After that, you can authorize users that can use their privileges like "select any table" against protected objects. Anyone with strong privilege, but without realm authorization cannot read data.

    N.B. Users with object privileges are not restricted! So anyone who has object privilege on protected objects will still be able to access that data. However, after realm is created, only realm owners will be able to grant object privileges on protected objects.


    Zoran
  • 2. Re: Restrict dba from reading data
    976232 Newbie
    Currently Being Moderated
    Thank you Zoran.

    I have one more question. Is it possible to further secure our database by disabling system users to cancel auditing on objects?

    Peter
  • 3. Re: Restrict dba from reading data
    Zoran Pavlovic Explorer
    Currently Being Moderated
    If you want to restrict users from canceling audit on specific or all objects in the database, you should create a command rule that will secure NOAUDIT command. You can choose whether you want to restrict on all objects (%) or on specific objects. Of course, you first need to create a rule set that will check which users will still be able to issue this command (for instance rule will check whether user has a role "usr_naudit". If he has, he can execute NOAUDIT).


    Zoran
  • 4. Re: Restrict dba from reading data
    976232 Newbie
    Currently Being Moderated
    Thank you Zoran.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points