Post reply

Contractor Access to Company Databases

  • December 21, 2006 at 12:28 am

    #174246

     Hi there

    I need to get some feedback about DBA Contractor access to our company databases.  I am a DBA and from time to time we get DBA contractors in to perform development work on specifc systems.  The group that they current get added to gives them access to all systems in the company (we have a lot of systems from payroll to customers etc).  I might add that our company is a well known financial institution in our country.

    How are other DBA's treating contractors in their company.  I have no problem giving them the access they need to perform the task that they are contracted to do, but should they get full access?

    How does this fit in with Sarbanes Oxley?

    Your feedback would be much appreciated.

    Thank you

  • December 21, 2006 at 5:06 am

    #679374

    as an independent DBA I encounter this often. If I'm to perform dba tasks on prod systems then I need the access to do the task. I know SOX prefer it that you log on as an account under your own name, so there's some sort of audit trail, and they prefer that you are not a sysadmin - but it's not possible to have a system without sysadmins - I usually connect with integrated security through a DBA group - seemed fine for them.

    Don't know if this helps at all?

    [font="Comic Sans MS"]The GrumpyOldDBA[/font]
    www.grumpyolddba.co.uk
    http://sqlblogcasts.com/blogs/grumpyolddba/

  • December 22, 2006 at 3:44 am

    #679674

    Are you asking for a proscribed way of limiting access? If so, there are many ways to achieve this but my favourite first step is, as Colin quite rightly states, to give the contractor a specific domain login with minimal privileges.

    It should then be a simple matter to add that domain login to the specific SQL Server instance and assign server roles (sysadmin etc.) or database specific privileges (db owner, datareader etc.).

    This scheme gives you the best chance at a meaningful audit trail and, even better, the domain account can be set up to expire at a predetermined date thus ensuring the access lasts no longer than it should.

    Malcolm
    DB Ghost - Build, compare and synchronize from source control = Database Change Management for SQL Server
    www.dbghost.com

  • December 22, 2006 at 8:58 am

    #679745

    I aggree give them only the access they need. With the least amount of privileges needed to do what they were contracted for.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply