Assigning roles
This section provides general guidelines on how to assign people to accounts and give them access to perform roles. These guidelines must be amended to fit the resources and security policies of your site.
- Have one account for each person who performs a role.
For example, if you have multiple users who perform the DBSA role, have each person work from a separate account. Establish a one-to-one mapping between accounts and users to make it easier to trace audit events to a single user.
- Have as few DBSA and DBSSO accounts as possible.
The DBSA and DBSSO accounts can compromise the security of the database server. Limit the number of accounts that can disrupt the database server to lower the chance that an unscrupulous user can abuse a privileged account.
- Keep the DBSA and DBSSO roles separate.
You might not have the resources or the requirement to have different users perform the DBSA and DBSSO roles, nor does HCL OneDB™ strictly require this role separation. When you keep the DBSA and DBSSO roles separate, however, you constrain them to perform only those tasks that their duties specify and limit the risk of compromising security.
- Keep the AAO role separate from the DBSA and DBSSO roles.
The AAO determines whether to audit all DBSA or DBSSO actions in the system. It is essential that someone with a role different from that of the DBSA or DBSSO be in charge of auditing configuration, so that all users, including the DBSA and DBSSO, are held accountable for their actions in the system. This constrains users to perform only those tasks that their duties specify and limits the risk of compromising security.
- Limit access to the account onedb because it can bypass role-separation enforcement and other database server access-control mechanisms.