I am a DBA and I take offense in your language :-). At my workplace,
I currently own the sysadm password since nobody wants it. Do I need
it ? Answer is NO. Do I want to take it away from developers ?
Answer is yes and given below is my justification.
1. Psoft finance is a SOX compliant application/ database. This
requires us to maintain a tight control over who gets access. For
this reason, SYSADM password has been changed and taken away from
everyone. People who know sysadm password are the ones who dont use
it (myself and production control team who are the keepers of most of
2. We dont need SYSADM password to move any changes since we use STAT
for that. STAT is owned by production control to move changes into
3. Off-hours account has been setup for anyone who needs update
access to tables. Passwords for these accounts can be obtained by
support team (with password life of 24 hours) by going thru a password
checkout procedure followed by a change control document describing
the need for the password.
4. Core app team has been given procedures that they can call to kill
sessions without calling us dba's. These are audited and a log
maintained for the same.
5. All jobs running on the db server (sqr's, cobol's etc.,) run under
os-authenticated accounts and those OS accounts (unix accounts) dont
have login enabled. The master scheduler (ControlM) su's to those
accounts and runs the job. Privs are granted to os-authenticated
accounts to carry out their tasks.
6. Some jobs come thru process scheduler. Normal stuff.
8. Unix access to the "psoft" account that owns the software on
app/web servers are locked down and production control owns the
password. Off-hour unix accounts are setup so that app support team
can look at looks if needed. They can also get the "psoft" account if
needed by going thru the password check-out/change control process.
9. All accounts in db follow standard password conventions, audited
by internal/external auditors for access privileges. We provide
auditors with the full list of id's , their privilges, and the method
by which we generate the report.
10. Next step (in the next 3 months) is to implement Oracle OVD and
tie end user accounts/password or users to their windows/domain
account/password. That way, there wont be password sharing by people
unless they want to share their emails, personal info etc.,
I guess different clients have different security requirements. There
is no "one solution fits all" type of solution. You have to customize
the security to the requirement of the organization and the rules
imposed by internal security and external auditing.
Dont blame the dba :-). We implement security solutions defined by
someone above us. If none is defined, we define one as we are
responsible for security in the db. I have done this for 7 years at
my current client place. For peoplesoft, we have achieved a good
balance on security. Cant say the same for some other apps/db's that
I manage :-).
--- In psftdba@yahoogroups .com, Shaun <shaundl@... > wrote:
> Hi Clark,
> in my experience, it ends with the DBA's being over run with work,
in fact we are just doing the opposite and letting more have the
password, so as to reduce the load on the DBA team and spread cover
(hols, sick, out of hours).
> ____________ _________ _________ __
> From: the dragon <ceprn@...>
> To: psftdba@yahoogroups .com
> Sent: Friday, 14 November, 2008 4:04:51 PM
> Subject: PeopleSoft DBA Forum Question for the community regarding
access to the sysadm password
> At my current employer, we have an over-zealous (PITA) DBA trying to
champion removing the sysadm password from the PeopleSoft admins. I
am trying to get a feel from the community as to the "best practice"
on this thought. I have a list of reasons why it would be a poorly
thought out plan, including implementations and upgrades requiring the
change assistant. Can you provide any additional reasons for having
this access? Also, what are you doing at your shop?
> clark 'the dragon' willis
> PSA: Salary <> Slavery. If you earn a salary, your employer is
renting your services for 40 hours a week, not purchasing your soul.
Your time is the only real finite asset that you have, and once used
it can never be recovered, so don't waste it by giving it away.
> I work to live; I don't live to work.
> "Time is the coin of your life. It is the only coin you have, and
only you can determine how it will be spent. Be careful lest you let
other people spend it for you." -- Carl Sandburg (1878 - 1967)
> It is impossible to defeat an ignorant man in argument. -- William
> Religion is regarded by the common people as true, by the wise as
false, and by the rulers as useful. -- Seneca
> "I distrust those people who know so well what God wants them to do
because I notice it always coincides with their own desires." - Susan
> ____________ _________ _________ __
> Color coding for safety: Windows Live Hotmail alerts you to
suspicious email. Sign up today.