Loading ...
Sorry, an error occurred while loading the content.

RE: PeopleSoft DBA Forum Re: Question for the community regarding access to the sysadm password

Expand Messages
  • the dragon
    I agree that developers should not have the sysadm password, but this is more geared to organizations which have DBAs and PSAs who don t share the same body.
    Message 1 of 8 , Nov 16, 2008
    • 0 Attachment
      I agree that developers should not have the sysadm password, but this is more geared to organizations which have DBAs and PSAs who don't share the same body.  Thankk yu for your information, though.
       
      peace,
      clark 'the dragon' willis

      PSA: Salary <> Slavery. If you earn a salary, your employer is renting your services for 40 hours a week, not purchasing your soul. Your time is the only real finite asset that you have, and once used it can never be recovered, so don't waste it by giving it away.

      I work to live; I don't live to work.

      "Time is the coin of your life. It is the only coin you have, and only you can determine how it will be spent. Be careful lest you let other people spend it for you." -- Carl Sandburg (1878 - 1967)

      It is impossible to defeat an ignorant man in argument. -- William G. McAdoo

      Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful. -- Seneca

      "I distrust those people who know so well what God wants them to do because I notice it always coincides with their own desires." - Susan B. Anthony








       
      Hi,

      I am a DBA and I take offense in your language :-). At my workplace,
      I currently own the sysadm password since nobody wants it. Do I need
      it ? Answer is NO. Do I want to take it away from developers ?
      Answer is yes and given below is my justification.

      1. Psoft finance is a SOX compliant application/ database. This
      requires us to maintain a tight control over who gets access. For
      this reason, SYSADM password has been changed and taken away from
      everyone. People who know sysadm password are the ones who dont use
      it (myself and production control team who are the keepers of most of
      he passwords).
      2. We dont need SYSADM password to move any changes since we use STAT
      for that. STAT is owned by production control to move changes into
      production.
      3. Off-hours account has been setup for anyone who needs update
      access to tables. Passwords for these accounts can be obtained by
      support team (with password life of 24 hours) by going thru a password
      checkout procedure followed by a change control document describing
      the need for the password.
      4. Core app team has been given procedures that they can call to kill
      sessions without calling us dba's. These are audited and a log
      maintained for the same.
      5. All jobs running on the db server (sqr's, cobol's etc.,) run under
      os-authenticated accounts and those OS accounts (unix accounts) dont
      have login enabled. The master scheduler (ControlM) su's to those
      accounts and runs the job. Privs are granted to os-authenticated
      accounts to carry out their tasks.

      6. Some jobs come thru process scheduler. Normal stuff.

      8. Unix access to the "psoft" account that owns the software on
      app/web servers are locked down and production control owns the
      password. Off-hour unix accounts are setup so that app support team
      can look at looks if needed. They can also get the "psoft" account if
      needed by going thru the password check-out/change control process.

      9. All accounts in db follow standard password conventions, audited
      by internal/external auditors for access privileges. We provide
      auditors with the full list of id's , their privilges, and the method
      by which we generate the report.

      10. Next step (in the next 3 months) is to implement Oracle OVD and
      tie end user accounts/password or users to their windows/domain
      account/password. That way, there wont be password sharing by people
      unless they want to share their emails, personal info etc.,

      I guess different clients have different security requirements. There
      is no "one solution fits all" type of solution. You have to customize
      the security to the requirement of the organization and the rules
      imposed by internal security and external auditing.

      Dont blame the dba :-). We implement security solutions defined by
      someone above us. If none is defined, we define one as we are
      responsible for security in the db. I have done this for 7 years at
      my current client place. For peoplesoft, we have achieved a good
      balance on security. Cant say the same for some other apps/db's that
      I manage :-).

      Sincerely,

      Shaji.

      --- In psftdba@yahoogroups .com, Shaun <shaundl@... > wrote:
      >
      > Hi Clark,
      >
      > in my experience, it ends with the DBA's being over run with work,
      in fact we are just doing the opposite and letting more have the
      password, so as to reduce the load on the DBA team and spread cover
      (hols, sick, out of hours).
      >
      > regards
      > Shaun
      >
      >
      >
      >
      > ____________ _________ _________ __
      > From: the dragon <ceprn@...>
      > To: psftdba@yahoogroups .com
      > Sent: Friday, 14 November, 2008 4:04:51 PM
      > Subject: PeopleSoft DBA Forum Question for the community regarding
      access to the sysadm password
      >
      >
      > At my current employer, we have an over-zealous (PITA) DBA trying to
      champion removing the sysadm password from the PeopleSoft admins. I
      am trying to get a feel from the community as to the "best practice"
      on this thought. I have a list of reasons why it would be a poorly
      thought out plan, including implementations and upgrades requiring the
      change assistant. Can you provide any additional reasons for having
      this access? Also, what are you doing at your shop?
      >
      > peace,
      > clark 'the dragon' willis
      >
      > PSA: Salary <> Slavery. If you earn a salary, your employer is
      renting your services for 40 hours a week, not purchasing your soul.
      Your time is the only real finite asset that you have, and once used
      it can never be recovered, so don't waste it by giving it away.
      >
      > I work to live; I don't live to work.
      >
      > "Time is the coin of your life. It is the only coin you have, and
      only you can determine how it will be spent. Be careful lest you let
      other people spend it for you." -- Carl Sandburg (1878 - 1967)
      >
      > It is impossible to defeat an ignorant man in argument. -- William
      G. McAdoo
      >
      > Religion is regarded by the common people as true, by the wise as
      false, and by the rulers as useful. -- Seneca
      >
      > "I distrust those people who know so well what God wants them to do
      because I notice it always coincides with their own desires." - Susan
      B. Anthony
      >
      >
      >
      > ____________ _________ _________ __
      > Color coding for safety: Windows Live Hotmail alerts you to
      suspicious email. Sign up today.
      >




      Stay up to date on your PC, the Web, and your mobile phone with Windows Live Click here
    Your message has been successfully submitted and would be delivered to recipients shortly.