By Tanu Sood-Oracle on Feb 27, 2013
Author: Kevin Moulton
You are responsible for managing accounts in the databases. You have lots of databases from lots of vendors. Oracle Database, SQL Server, Sybase, DB2. You manage the DBAs, so you have to give them privileges. In turn, they grant privileges to the user community. Some applications are off the shelf, and others are home grown, but they all store data in one of your databases. Some store their users in a directory, some use a user table in a database, and some use standard database users. In other words, you have a management mess on your hands!
The IT department is implementing some kind of automation and workflow tool, and they tell you that managing the database users is on their roadmap, but it’s buried way down the list. Of course it is! IT is not responsible for the databases. You are!
Budgets are tight, and you’re not getting the headcount you need to manually create and manage users, maintain the databases, and troubleshoot application problems when users don’t see the data they expect. That shouldn’t even be your problem, but of course they come to your team for everything. The auditors are after you about your costly and inconsistent manual processes and lack of controls, and demanding that you bring your environment into compliance with SOX, PCI, HIPAA, or whatever. Your users have to remember a different password for every database. Your DBAs use shared accounts that everyone knows the password to, including about 10 people that don't even work there anymore, but you're afraid to change it because you don't know what might break.
So, what can you do?
Oracle User Management for Databases (UM4DB) could be exactly what you are looking for. Oracle UM4DB is simply components of the Oracle Identity Governance Suite configured specifically for managing your heterogeneous database environment.
UM4DB will allow you to automate the management of access to your databases. If a new user needs access to a database, that user or the user's manager would request access through a simple web GUI to a database or an application, and then the UM4DB connectors would create the required accounts with the appropriate privileges based on your rules. For compliance purposes, you could include a management approval step before access is granted.
You could even configure UM4DB to take a feed from HR, or take a feed from multiple sources of new employees and contractors, and then grant these users the access they require based on rules that you configure. In my experience, these rules are easy to create, because your DBAs have all of the rules in their heads. You just need to translate their experience into simple access rules. For example, a rule may be created where everyone in HR gets access to the employee database, along with certain roles they need.
Figure 1 End Users can request application access via a self-service GUI
Once these rules are in place, your auditors will be happy, because not only will the appropriate access to your databases and applications be granted automatically and consistently, but that access would be appropriately modified when that user's position changes, and taken away automatically when that user leaves your organization. This is the least privilege model you've always hoped for.
Reports within UM4DB will show you who has access to what, when they got it, who requested it, and who approved it. UM4DB could also be easily configured to perform recertification/attestation jobs at a frequency you determine, to make your auditors even happier. Your end users will be happier too, because UM4DB will maintain a record of all of the access they have, allowing them to change their password in one place. That password change would then be propagated to all of the databases they have access to. There go all of those annoying help desk calls. The days of your DBAs spending all of their time on account management and password resets are over! Don’t they have better things to do?
Your DBAs don’t need the headaches of user management, password management, and compliance. UM4DB can make them go away.
About the Writer:
Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East Enterprise Security Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.
Previous Posts from the Writer: