We have some large clients who are worried about how to stop their DBAs from
committing fraud. We market a pensions administration system which sits on
SQL Server or Oracle. The clients need to be sure a DBA cannot change a bank
account or other personal data without a permanent log of the action being
made.
If anyone has any experience of this I would be grateful for any information
or a url to a relevant web page.
Thanks
Chris Savage

If the dba is the owner of the database or possibly even capable of logging
as 'sa', then there is no way to prevent them from doing anything. You can
create triggers to audit changes to the data, but they would be able to
disable or change the triggers. The only thing you can do is capture
events using SQL Profiler. see BOL under "Auditing SQL Server Activity"
--

HTH,
David Satz
Principal Software Engineer
Hyperion Solutions
{ SQL Server 2000 SP1/7.0 SP3/6.5 SP5a } { Cold Fusion 5/4.5.1 SP2 } { VSS }
(Please reply to group only - emails answered rarely)
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
-----------------------------------------------------------------

"Chris Savage" <csavage@blueyonder.co.uk> wrote in message
news:3ba9ad84@news.devx.com...
> We have some large clients who are worried about how to stop their DBAs
from
> committing fraud. We market a pensions administration system which sits on
> SQL Server or Oracle. The clients need to be sure a DBA cannot change a
bank
> account or other personal data without a permanent log of the action being
> made.
> If anyone has any experience of this I would be grateful for any
information
> or a url to a relevant web page.
> Thanks
> Chris Savage
>
>
>
>

Thanks. I take it you are pointing me towards "C2 Auditing". Does anyone
have experience of this they could share?
I notice from the help that the DBA could still start the database with a
switch which turned off the logging - so theoretically he could take the
database down, restart it without logging, do his dirty deed then restart it
again.
I'm just putting questions into the mouths of my clients - in all likelihood
the fact that it followed a security standard set by the US govt. would
probably satisfy them.

Chris Savage


"DaveSatz" <davidNOSPAMsatz@yahoo.com> wrote in message
news:3bab5b8c@news.devx.com...
> If the dba is the owner of the database or possibly even capable of
logging
> as 'sa', then there is no way to prevent them from doing anything. You
can
> create triggers to audit changes to the data, but they would be able to
> disable or change the triggers. The only thing you can do is capture
> events using SQL Profiler. see BOL under "Auditing SQL Server Activity"
> --
>
> HTH,
> David Satz
> Principal Software Engineer
> Hyperion Solutions
> { SQL Server 2000 SP1/7.0 SP3/6.5 SP5a } { Cold Fusion 5/4.5.1 SP2 } {
VSS }
> (Please reply to group only - emails answered rarely)
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> You assume all risk for your use.
> -----------------------------------------------------------------
>
> "Chris Savage" <csavage@blueyonder.co.uk> wrote in message
> news:3ba9ad84@news.devx.com...
> > We have some large clients who are worried about how to stop their DBAs
> from
> > committing fraud. We market a pensions administration system which sits
on
> > SQL Server or Oracle. The clients need to be sure a DBA cannot change a
> bank
> > account or other personal data without a permanent log of the action
being
> > made.
> > If anyone has any experience of this I would be grateful for any
> information
> > or a url to a relevant web page.
> > Thanks
> > Chris Savage
> >
> >
> >
> >
>
>