A large site told me that their engineering team is concerned that once you login to Grid Control, "you are able to observe and manage all databases in the company and that is a security risk".
We need to make these people aware that there are two levels of security in Grid Control. First you login to the Grid Console using either the "sysman" login (not recommended for large sites, the sysman schema is the owner of the Grid Control repository) or a Grid Control Administrator login (recommended), and then you must also logon to the database.
So it is not possible that a login at the console is able to manage all databases in the whole compnay, unless some has saved the password for all databases when logging on. The rule of course is, never save the database password for the Dba user - always force a logon.
The second point to note is, we are able to create Target Groups in Grid control. Each database, listener, and host is a target. So we can group together targets and then assign to Grid Control Administrators that we can create easily on the console.
The DBA then logins to Grid Control using the partitcular console administrator login that is assigned to him/her. Such an admin is not sysman, so he/she can only see and manage the targets in the target group that is assigned to that console administrator. So it is not possible that a console login can even see all targets in the company, unless of course the login is the sysman, or the login is a console admin that has been purposely assigned ALL targets.
This I have been explaining to many clients in the past 3-4 years as a consultant, and even before that to project teams and the security team in my past companies.
You have the security capability, and you should use it. Take the case of a database - you can easily have all schemas assigned the DBA role, and I have seen that done by many development outfits just as a shortcut. Or you can have proper role-level security set up at the database level. So, just because every schema has been set up by a developer as a DBA, does it mean there is no security in the database? The truth is, there is enough security, and we should know the way to use it.
Subscribe to:
Post Comments (Atom)
Disclaimer
Opinions expressed in this blog are entirely the opinions of the writers of this blog, and do not reflect the position of Oracle corporation. No responsiblity will be taken for any resulting effects if any of the instructions or notes in the blog are followed. It is at the reader's own risk and liability.
Blog Archive
-
▼
2008
(49)
-
▼
July
(10)
- Atom Feed for Blog Posts
- Presentation Impressions
- Grid Control Levels of Security
- Grid Control Live Demos in Oracle Booth
- Manually manage 1000 databases or use Grid Control
- Blogger Credential
- Confirmed about Grid Control and EE
- Benefits of Oracle Database Enterprise Edition for...
- Added interesting blog list
- Mentioned in OTN Techblast
-
▼
July
(10)
Labels
- Advantages and Power
- Interesting
- General Discussion
- technical
- 11g
- grid control
- New in 11g
- Grid Architecture
- article
- News
- Patching
- free
- new in 12c
- em12c cloud control
- workshop
- Packs and Plug-Ins
- book
- 11g book
- issue resolution
- webinar
- white paper
- RMAN and Grid
- charity
- cloud control
- webcast
- Greetings
- em11g
- GoldenGate
- event
- exadata
- ops center
- security grid control
- 12c book
- Launch
- OTN
- POC
- published
- seminar
- Linux and Grid Control
- PeopleSoft
- answers
- artcile
- automation
- em jobs
- list
- live chat
- migration
- overview
- presentation
- questions
- testing
- video
Other Interesting Oracle Blogs
-
-
-
-
Upcoming Events...10 years ago
-
-
No comments:
Post a Comment