Determining a Database Security Policy

This list was adapted from a similar list found in Oracle Database Administration: The Essential Reference, by David Kreines and Brian Laskey.  ©1999 O'Reilly & Associates.  Pages 98-99.


Below is a list of some of the questions a DBA should ask (and answer!) when determining a database security policy.  Such a policy needs to be approved by management (who will often provide most of the answers).  The policy should also be developed with input from the server's system administrator(s) as well as the organization's network administrator.

The questions that must be addressed by the database security policy are grouped by related questions.  Note there is some overlap between sections.  The questions are:

User Access to the Database

Every user must connect to the database with an authorized userid and password.

Read Sensitivity of the Data

By default the data in a table (or other schema object) is readable to the userid that owns that table (or object), and users with the SELECT ANY TABLE system privilege.  You need to decide who is allowed to access what data.

Write Sensitivity of the Data

These questions determine who has access to add, modify, and delete data.  By default tables can be modified by the userid that owns the table, and any user granted the appropriate privileges (INSERT ANY TABLE, UPDATE ANY TABLE, and DELETE ANY TABLE)

Audit Policy

These questions determine how much accountability you need.  Auditing will allow you to determine who has accessed which data, when, and how (read, insert, update, delete).  For each set of data the DBA must decide:

Other Questions