OraFAQ Forum: Server Administration » How can prevent DBA user from disabling any trigger ?

Home » RDBMS Server » Server Administration » How can prevent DBA user from disabling any trigger ? (oracle 10.2.0.4 , solaris spark)

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

How can prevent DBA user from disabling any trigger ? [message #512339]

Sun, 19 June 2011 07:10

halim
Messages: 100
Registered: September 2008

Senior Member

Dears

How can prevent DBA user from disabling any trigger ?
suppose DBA user can't be able to execute following command

ALTER TRIGGER {trigger_name} DISABLE;

how can i protect it?

Thanks
Halim

Report message to a moderator

Re: How can prevent DBA user from disabling any trigger ? [message #512341 is a reply to message #512339]

Sun, 19 June 2011 07:46

John Watson
Messages: 8931
Registered: January 2010
Location: Global Village

Senior Member

You refer to a "DBA user", presumably that is a user who has been grantef the DBA role? One privilege granted to that role is ALTER ANY TRIGGER. You could revoke it. But your DBA could then grant it again. What are you trying to achieve? Don't you trust him?
Regards, John.

Report message to a moderator

Re: How can prevent DBA user from disabling any trigger ? [message #512380 is a reply to message #512341]

Sun, 19 June 2011 23:25

halim
Messages: 100
Registered: September 2008

Senior Member

Thanks Watson,

actually i am trying to protect my db from any type of altering by a DDL trigger like below,
but ALTER TRIGGER {trigger_name} DISABLE is not working. such as


SQL>
SQL>
SQL> conn logg@test123
Enter password:
Connected.
SQL>
SQL>
SQL> CREATE OR REPLACE TRIGGER tri_ddl_alter
  2     BEFORE  ALTER  ON database ---on schema
  3  DECLARE
  4     oper   ddl_attemp_log.operation%TYPE;
  5  BEGIN
  6     SELECT ora_sysevent
  7       INTO oper
  8       FROM DUAL;
  9
 10  IF oper = 'ALTER'
 11     THEN
 12        raise_application_error   (-20997,
 13                       'ALTER In Production DB Has Been Restricted contract w
ith DBA'
 14                      );
 15
 16     END IF;
 17  END tri_ddl_alter;
 18
 19
 20  /

Trigger created.

SQL>
SQL>
SQL> create table t_1 (id number);

Table created.

SQL> ALTER TABLE t_1
  2  ADD name varchar2(20) ;
ALTER TABLE t_1
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20997: ALTER In Production DB Has Been Restricted contract with DBA
ORA-06512: at line 10


SQL>
SQL> ALTER TRIGGER LOGG.TRI_DDL_ALTER disable;

Trigger altered.

SQL>
SQL> ALTER TRIGGER LOGG.TRI_DDL_ALTER enable;

Trigger altered.

SQL>
SQL> ALTER TRIGGER LOGG.TRI_DDL_ALTER disable;

Trigger altered.

SQL>
SQL>

Thanks
Halim

Report message to a moderator

Re: How can prevent DBA user from disabling any trigger ? [message #512387 is a reply to message #512380]

Mon, 20 June 2011 01:16

Michel Cadot
Messages: 68648
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

You cannot protect against a DBA unless you buy Database Vault.

Regards
Michel

Report message to a moderator

Previous Topic:	Archive log
Next Topic:	Move job to other database

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu May 02 03:07:52 CDT 2024