Archives of the TeradataForum
Message Posted: Mon, 03 Dec 2007 @ 16:00:01 GMT
| Subj: | | Segregation of Duties - Security and DBA |
| |
| From: | | Okell, Alan |
We have a bit of a cloudy distinction between our Security and Database Administration functions - the 5 Security Administrators should be
responsible only for Granting and Revoking Access and generally need not have access to the vast majority of underlying data. Currently, they have
a ridiculous number of access rights on the DBC.AllRights table (approx 5 administrators x 40 privileges x 1800 dbs / users) and we are looking to
rationalise this.
From previous discussions on the subject, I reckon it isn?t possible for a Role to have ?With Grant Option? ? so for example, if you have 5
Security Administrators who are only responsible for Granting and Revoking access, it isn?t possible for these groups of access rights to be
brought together into a single role because they require (and can?t have) ?With Grant Option? in order to do their job.
Similarly, it isn?t possible for ?With Grant Option? to be held by the 5 Security Administrators individually without having the privileges to
the underlying data themselves.
Best I can come up with is a single Security Administrator user id as a layer underneath DBC which owns all dbs and users, thereby having
?Grant option? to all dbs and users without having the underlying access themselves. This ticks most of the boxes, but it does mean that all 5 Sec
Administrators would use one id which gives us traceability issues, and the other issue is that I can?t see what would stop them granting
themselves access to the underlying data if they so wished.
Any thoughts / best practices ?
| 
