Results 1 to 14 of 14
  1. #1
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7

    Unanswered: Something about Oracle Database Vault

    Hi, guys.
    Can I revoke some privilegies (i.e. SELECT from some table) from a DBA without Vault? If I can then what's the point of Vault?
    Thanks.

    P.S. for now, I tried to create a DBA and revoke a privilege using another DBA account with SYSDBA privs. It doesn't work - "not enough privilegies". The same is for SYS account.

  2. #2
    Join Date
    May 2010
    Location
    Bangalore
    Posts
    16
    HI Vaneo,
    I'm not a DBA person but i had few links which talks about Vault.
    Try going through them

    What to Expect After You Install Oracle*Database Vault

    This has a list of commands use to revoke privileges.
    Might help you in a good way!

    Thanks
    Richa

  3. #3
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    Thanks for the link
    But this is not exactly what I'm looking for...
    I now have a question more like doubts if I can revoke privileges some other way excluding Vault.

  4. #4
    Join Date
    May 2010
    Location
    Bangalore
    Posts
    16
    Hi - You are welcome

    Here is another link how to grant or revoke privileges normally -
    hope it helps - How to grant and revoke privileges in Oracle

    Thanks
    Richa

  5. #5
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    Thanks again
    But I'm looking for specific revoke - I want to revoke privileges from DBA, not a common user. And I don't want to fully revoke DBA.

  6. #6
    Join Date
    May 2010
    Location
    Bangalore
    Posts
    16
    Hmmmm - as i had mentioned earlier i'm not a DBA - maybe you will have to wait for some DBA to answer this. I'm mostly a oracle developer(plsql, sql)
    Good Luck !
    Thanks
    Richa

  7. #7
    Join Date
    Mar 2010
    Location
    Vienna, Austria
    Posts
    149
    Vaneo,

    I'm not sure I understand exactly what you mean:

    - Restrict the privileges for the SYS and/or SYSTEM user
    or
    - change the DBA role.

    In the first case, the answer is extremly simple: No, not without Vault

    For case 2:
    In theory, you can restrict the DBA role, but I would'n recommend it, because there are a couple of reasons for the existence of this role and you might get into big trouble.
    This is, because Orace i.e. expects SYSTEM to have the DBA role assigned as it is. So implementing a Security Patch, update, etc. would have a good chance to fail with a redefined DBA role.

    What you CAN do however, is creating a new role (like 'WEAK_DBA'), grant only the privileges you want to, as you would with any other role (in fact, it IS just another role).
    Then assign this role WEAK_DBA instead of DBA to the user.
    "There is always an easy solution to every problem - neat, plausible, and wrong."
    -- H.L. Mencken

  8. #8
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    Thanks, Magicwand, I have just figured out that I can't restrict DBA role in any way, but Vault
    The case however is exactly in that (as you supposed) I need to deny access of the DBA's to the data. The way creating another role is quiet nice, but that will involve rebuilding the whole privileged user's hierarchy so...I need a Vault

  9. #9
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    It's a pity that your DBA's can't be trusted. Maybe fire them and get some people that you can trust.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  10. #10
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    Well, eventually DBA is not a person who should has an access to data, his work is to work with database, so...
    Besides, there is always some chance to have an insider threat. That's the main idea what's the Oracle Vault for I guess.

  11. #11
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    So who is going to repair the data when it is corrupted if no one has access to it and it will happen.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  12. #12
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    It depends on what do you mean under data corruption
    As an option - the DBA can be granted an access from a Vault owner/Vault admin, repair the data and after that privileges will be taken back.
    Or a special DBA will track the data integrity without any right to give privileges to watch or manipulate data to any other user.
    It is good that you asked If you don't mind, I will be very grateful for such a questions because I need some criticism of Vault and my approach of database security organization now.

  13. #13
    Join Date
    Mar 2010
    Location
    Vienna, Austria
    Posts
    149
    I need some criticism of Vault
    There is just one that comes to my mind: the price tag ...
    "There is always an easy solution to every problem - neat, plausible, and wrong."
    -- H.L. Mencken

  14. #14
    Join Date
    May 2010
    Location
    Russia, Saint-Petersburg
    Posts
    7
    It is...
    But it's worth of its money if the company is quite big. Lets assume...there are at least 20-30 DBA's and thousands of users. Rebuilding it with roles can cost you even more than Vault. And anyway it won't give you protection against SYS/SYSTEM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •