Skip to Main Content
  • Questions
  • Protect access to certain data from the DBA

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question.

Asked: September 22, 2017 - 2:30 pm UTC

Last updated: July 25, 2019 - 1:55 am UTC

Version: 11.2.0.4

Viewed 1000+ times

You Asked

This question has probably been asked many times, but I cannot find a solid solution. We are required to restrict access (select/insert/update/delete) to certain database tables even from the DBA. As far as I know, only Database Vault can do this reliably. It is my understanding that database vault needs to be disabled for patching and upgrades. Are there any other methods besides database vault? The idea is that DBA should not be able to access these tables at all, so audit is out. Fine grained access control? Data redaction?

Thanks,
A reader

and Connor said...

If you *really* need to lock the data away from the DBA, then Database Vault is pretty much your only option. Anything else ultimately can be circumvented by someone with DBA privileges.

There are mechanisms in place for Data Vault to allow patching etc which do not require disabling it. See this best practices paper for details

http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-199882.pdf

But I will say one thing. On many occasions, the restriction of data from DBAs is often a red flag to a deeper organizational problem, namely, lack of trust in the roles and people filling those roles. Ultimately, no amount of software solves that underlying issue.

Rating

  (20 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

A reader, September 23, 2017 - 1:06 pm UTC


A reader, September 23, 2017 - 1:17 pm UTC

Thanks Connor.

I totally agree with you. The organization completely trusts the DBAs as they are thoroughly vetted, there is no question about that. Unfortunately, the issue came up because of an IRS audit. If anyone has participated in those audits, they will testify that those auditors have no clue about what they are doing. There is no arguing with them. They pointed to a SQL server article on securing data in Oracle database...
Connor McDonald
September 25, 2017 - 3:37 am UTC

:-)

Very informative post

sophia charles, September 25, 2017 - 9:34 am UTC

I like this post. It is very useful for me. It is giving more information and ideas for my work. I hope you will keep this website updated so users can come and read interesting stories. I am very impressed by the way you share nice and valuable content. You can get online Halloween promo codes of other exciting games from https://www.reecoupons.com/categories/halloween .

Informative Post

Kamela, September 05, 2018 - 5:50 am UTC

Thanks for sharing such informative knowledge regarding the question of Data redaction. I know bit about this before as my Brother in Law is a Senior DBA and have much experience over years in this field. http://qouponcodes.com/ I use to hear many things like Patching , data installing from him and its increases my knowledge. But i must say the answer you have given here is also very useful and many people can easily take advantage from this . Keep it up . Love to read more from your side. Thanks.

Very informative post

John, July 23, 2019 - 11:23 am UTC

Another option would be: get DBA's you trust.

The DBA job is mostly "underestimated" in terms of the requirements a person in such a position need to meet.

And one of those requirements is: to be absolute trustworthy.

Anybody with SA privileges (like a DBA) basically has the power to (worst case) shut down the business.

Btw: that's one of the reasons why I don't like the concept of outsourcing business crucial or fincancial or HR databases...!!

Thanks Regards
https://gulkhantruckart.com/collections
Connor McDonald
July 25, 2019 - 1:55 am UTC

+1

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database