Home Page for the TeradataForum
 

Archives of the TeradataForum

Message Posted: Mon, 03 Dec 2007 @ 16:00:01 GMT


     
  <Prev Next>  
<<First
<Prev
Next> Last>>  


Subj:   Segregation of Duties - Security and DBA
 
From:   Okell, Alan

We have a bit of a cloudy distinction between our Security and Database Administration functions - the 5 Security Administrators should be responsible only for Granting and Revoking Access and generally need not have access to the vast majority of underlying data. Currently, they have a ridiculous number of access rights on the DBC.AllRights table (approx 5 administrators x 40 privileges x 1800 dbs / users) and we are looking to rationalise this.

From previous discussions on the subject, I reckon it isn't possible for a Role to have ?With Grant Option? ? so for example, if you have 5 Security Administrators who are only responsible for Granting and Revoking access, it isn't possible for these groups of access rights to be brought together into a single role because they require (and can't have) ?With Grant Option? in order to do their job.

Similarly, it isn't possible for ?With Grant Option? to be held by the 5 Security Administrators individually without having the privileges to the underlying data themselves.

Best I can come up with is a single Security Administrator user id as a layer underneath DBC which owns all dbs and users, thereby having ?Grant option? to all dbs and users without having the underlying access themselves. This ticks most of the boxes, but it does mean that all 5 Sec Administrators would use one id which gives us traceability issues, and the other issue is that I can't see what would stop them granting themselves access to the underlying data if they so wished.

Any thoughts / best practices ?



     
  <Prev Next>  
<<First
<Prev
Next> Last>>  
 
 
 
 
 
 
 
 
  
  Top Home Privacy Feedback  
 
 
Copyright for the TeradataForum (TDATA-L), Manta BlueSky    
Copyright 2016 - All Rights Reserved    
Last Modified: 27 Dec 2016