Ask the Expert

Is user account administration one of the duties of a DBA?

Is it a security best practice for DBAs to define user accounts and set permissions? Our security group has always been charged with creating accounts and permitting access. The DBAs are now saying that it's a DBA role, not a security role. We believe that an Oracle DBA should not delegate access. Are there any best practices to which we can refer?

    Requires Free Membership to View

Unfortunately, I have to conditionally agree with your DBAs, if they want to define and create accounts and permissions. Account management is a function, not a role. The role of a DBA is administration of services, and indeed many organization's user account administration is going to be part of a DBA's role.

With that said, DBAs should manage accounts and define and set permissions based on security policies and standards. While DBAs can -- and usually do -- do the work, the security group should be telling them how to do it. Security should also have the right to audit and monitor their activities.

Be aware that there is one instance in which, within this scenario, the security group should manage user accounts and set permissions. This is when a DBA needs an account. For separation of duties (SoD) best practices, DBAs should not be able to set up accounts or privileges for themselves; this is the most common method for "backdoor" unauthorized access to come about, which can lead to information exposure or malicious activity. If you're willing to give them the administrative function for account management, they should be willing to allow you to manage their access.

As a final note, on many new applications and operating systems, you can have account management privileges without full administrative rights. In this case, where possible, the DBAs should only be granted this limited access to do account management unless their role requires them to do other administrative tasks on the application or server.

For more information:

This was first published in March 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: