I am working with a client regarding direct data access issues for their DBAs. The bulk is related to Oracle 9x.

The quick summary is that the DBAs are also the OS Admins and they have 100% access to "everything". They also believe that they need 24/7 access to support the business. Most troubling is that they believe they require access to the apps id in order to start services that fail. Due to the use of the apps id and access to the log files the client doesn't see any need to turn on the logging functions. Their approach is to keep the number of DBAs to a minimum.

Oracle 9x is running in HP-UX with Oracle Financials and the DBA's are using the "apps" id to perform maintenance, patch, and restart services on the database. That causes the problem with logging the activity because all of the end users activity is also going through the "apps" id. The DBA's claim that the "sys" and "system" id's will not allow them to perform all of the necessary activities.

The DBA's claim that it's not feasible to restrict access to the "apps" id password to temporary access via an emergency request process (firecall). They claim that they need 24/7 access.

1. Do the DBA's really require access to the "apps" id?

2. What activities would require the DBA to use the "apps" id?

3. Have you seen this before? How have you handled it?


Detail below:

Overall issue:
DBAs require access rights and responsibilities across multiple platforms to perform various responsibilities. This access is deemed excessive, however, it is necessary to conduct daily activities. Restricting this access will impact the business to an unacceptable level.
Their external auditor noted control deficiencies related to inappropriate access, inadequate monitoring of DBA activities, and lack of evidence to support the data change management process (missing forms and approvals).

Oracle database specific issues:
DBAs do not use individual ids to perform data administration. The DBAs login using the "APPS" id, which gives them full system administrator privileges as well as renders the logging/monitoring process useless.
Enabling logging would cause a mountain of useless information as the log would capture all updates made by application activities. Additionally, the DBAs have access to the log file allowing them the ability to remove suspicious activities prior to review of logs.
The client has further restricted the number of persons with powerful access rights.

I followed up with an Oracle subject matter resource on the ability to create individual DBA ids with only DBA functionality. It was suggested to create individual ids, change passwords to the generic application ids, and enable monitoring of the specific DBA activities. Additionally, he suggested writing the log file to the Operating System and restricting access to the file to ensure DBA could not modify log prior to review. Based upon discussions with the client this is not an option they can accept. The DBA rights are not enough (not equal to the APPS id rights).

Sidenote: The client is already working to reduce the number of DBA's with access to the "apps" id (still 15 remain) and to ensure that compensating controls are operating effectively.