General discussion


DBA Segregation of Duties

By fimos ·
Hello, I have a question regarding DBA.

One of the clients that I'm currently working with (a dot com survivor) has a four person DBA group that manages over 30 instances of SQL server databases supporting multiple web sites and internal applications. Most of these systems were developed in-house and support custom-business processes. While the default administrator accounts are not used nor shared; the DBAs have SA level access for operational reasons.

The external auditors have recommended that DBAs not be assigned SA level access; and such access be made available via a "firecall" id that is owned outside the DBA group. The risk pointed out by the auditors is that the DBAs with SA level access can bypass all manual and application controls, make modification to data or perform other unauthorized activities and wipe the access logs clean to remove evidence. The client feels that this requirement is excessive and onerous.

Could anyone point us to any relevant research or similar experiences at other clients or other industry practices?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by stress junkie In reply to DBA Segregation of Duties

This would make a good discussion topic.

I've been around quite a bit as an enterprise system administrator. I have found that the DBAs rarely if ever need system privileges. They derive their control over the database through a database admin account that does not need OS privileges. Ask the DBAs that want OS privileges to explain in detail what they need the OS privileges for. You may find that the things that they need to do requiring OS privileges only occur two or three times a year. Things like placing database files on different disks to spread I/O can be done with the assistance of the system administrator.

Collapse -

by cpfeiffe In reply to DBA Segregation of Duties

Just give the DBAs sudo access to run what is required. Force them to use individual logins (usually satisfies auditors because it provides accountability) and let them use sudo to run stuff as root/oracle/whatever. Just don't grant sudo access to a shell.

Collapse -

by fimos In reply to DBA Segregation of Duties

This question was closed by the author

Related Discussions

Related Forums