DBA access levels to data

nishgibb · #1 (**permalink**) 07-21-09, 03:19

Hi Everyone,

Can anyone be able to provide me the information on the DBA access information towards data at various security level? If yes, I will go ahead with my question further

r937 · #2 (**permalink**) 07-21-09, 04:40

i think you should just go ahead with your question further anyhow

Pat Phelan · #3 (**permalink**) 07-21-09, 07:57

Quote:

Originally Posted by nishgibb

Can anyone be able to provide me the information on the DBA access information towards data at various security level?

Blue.

Quote:

Originally Posted by nishgibb

If yes, I will go ahead with my question further

That would be better.

-PatP

blindman · #4 (**permalink**) 07-21-09, 10:40

Quote:

Originally Posted by Pat Phelan

Quote:

Originally Posted by nishgibb

Can anyone be able to provide me the information on the DBA access information towards data at various security level?

Blue.
-PatP

Wait. No, Red! YEEEAAHHHHHhhhhhhhhhhhhhh.

nishgibb · #5 (**permalink**) 07-21-09, 12:07

Is it possible to restrict access to a particular object on a sensitive data to a user who has already been granted the DBA role?

the user in question should still be able to perform DBA activities, but when it comes to the object in question, he/she should not be able to select, insert, update or delete from the table...

Say for example hiding some sensitive data from the DBA itself.. did I make myself clear?

dportas · #6 (**permalink**) 07-21-09, 14:37

Yes it's possible but the details are very dependent on what DBMS product you are using. Please tell us what DBMS you are referring to or post your question in one of the product-specific forums.

shammat · #7 (**permalink**) 07-21-09, 15:31

I don't think it's possible. As the user has DBA privilege he/she can always grant herself/himself access to those objects even if the privileges have not been granted before.

nishgibb · #8 (**permalink**) 07-22-09, 01:07

Quote:

Originally Posted by dportas

Yes it's possible but the details are very dependent on what DBMS product you are using. Please tell us what DBMS you are referring to or post your question in one of the product-specific forums.

So, you are saying that each DBMS product has got its own rules defined on a DBA role, because I am looking out for the options on the products that I have been working starting from Oracle, Microsoft SQL Server, DB2, Sybase and Teradata. I am working on some sensitive data where I need to restrict the access level of the DBA, please give me options

r937 · #9 (**permalink**) 07-22-09, 02:00

Quote:

Originally Posted by nishgibb

I am working on some sensitive data where I need to restrict the access level of the DBA, please give me options

here's an option: make yourself the only DBA, and don't grant access to the sensitive data to anyone else

dportas · #10 (**permalink**) 07-22-09, 02:09

Every vendor has its own way of defining and controlling adminitrative roles. In Oracle you can use Database Vault to restrict DBA access:

Introducing Oracle Database Vault

In SQL Server use encryption and key management.

There are also third party tools such as:
http://www.rsa.com/products/bsafe/da...SM_DS_0407.pdf
(Note: I happen to work for EMC whose product this is, although I don't have personal experience of using it)

You'll have to Google for info on the other products. Take a look at their respective sites.

nishgibb · #11 (**permalink**) 07-22-09, 03:11

Thanks for the information

Pat Phelan · #12 (**permalink**) 07-22-09, 08:43

If you can truly restrict a users access to any object in the database, then that user is by definition not a Database Administrator.

There are multiple options for managing sensitive data, and some of those methods work well across different database platforms. Without knowing more details about what you want to accomplish, all I can say with confidence is "Yes, there is a solution to this problem."

-PatP

Internet Services

Web Development

Digital Marketing

Consumer Tech