Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Tisha.

Asked: May 25, 2016 - 8:45 am UTC

Last updated: May 26, 2016 - 4:17 am UTC

Version: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

Viewed 1000+ times

You Asked

Hi,

We are using Window Server 2003 Enterprise edition, database version is Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production.

Our company have an in-house developed application, which is going to be implemented in client database server machine. The client will be having admin access to the windows server. All the DB procedures are wrapped. we dont want to give the client DBA access to the database. But it seems if admin access is available to the server, then the windows user can access the database with dba privilege by changing the configuration(like adding in ora_dba group or creating the external user)

Is there any way to stop the client from having access to the pl/sql code in the database? or having the dba access to the database? Though they have admin access to the windows server.

Thanks Tisha

and Connor said...

You could start with standard Oracle auditing to catch that access, but a knowledgeable admin may well then doctor the audit tables, or disable auditing.

So you could then consider something like Database Vault

http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html

https://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm

But that's a fairly big hammer to be wielding. In particular, ultimately there is going to have to be *some* sort of trust relationship here. Because if they are admin to the server, no matter what controls you put in place in terms of access to the *data*, nothing can really stop a malicious admin from (say) wiping a hard drive and ker-splat.

Similarly, they could simply take the files (because they have admin rights) to another machine. So now you'd need encryption as well, ie

http://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html

or you could Data Guard the database back to your site so you could monitor a copy, etc.

Very quickly, you're getting into a fair bit of complexity here. Better to have the basic trust agreements in place in my opinion.

Others welcome to share their views.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

A reader, May 31, 2016 - 10:54 am UTC


more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library