I'm so special
Thursday, December 1, 2011 at 09:03PM For our recent anniversary, my wife and I went for the first time to an excellent little restaurant called Scapa, in a little burg called Clarendon Hills, Illinois. The food was excellent, the service was great, and when my wife none-too-subtly let it drop to the manager that it was our anniversary, he bought us tiramisu for dessert.
Shortly thereafter, I was in Detroit, and got the airport late for my return home. As I walked up to the security line, my heart sank; it was HUGE. I had no status in that particular terminal, either. But I boldly asked the lady with the badge around her neck, “Is there a priority line?”
“Yes,” she said, “right here.” And she opened up the little rope and let me in. I don’t believe I was meant to be there, but I took it. Fine, so I’m a scumbag. That little bump saved me TONS of time, and I showed up at my gate just in time for early boarding. It’s good to have privileges.
Whenever I’m seated in an exit row and they ask if I’m qualified, I always say, “Yes. Throw the switch, open the door, inflate the slide, and be sure to yell Wheee! all the way down.”
In the Detroit airport this fall, got to the security line, and it was HUGE. I asked the lady standing there, is there a priority line? She asked if I was priority. Well, yeah, on a particular airline, I said. She just thumbed me along, not wishing to put out the energy to check. This saved me TONS of time. So then I got early boarding at the gate.
But the misuse of privileges is a massive issue for many organizations. I was in the frozen north recently for an outing in which a room packed with the customer’s HR, provisioning, help desk, and database personnel horrified me with their lack of documented procedures. They had a limited number of DBAs with every privilege in the world. They had service accounts that were never monitored or attested to.
The traditional take on DBA’s has always been, they can do anything they want. Well, why? Let them create or alter tables, apply patches, size resources, etc. But why should they have access to actual business data?
I talk to orgs all the time who say, we only have three, four, five DBA’s. It’s not worth the hassle of deploying tools to monitor or limit these guys. I say, it’s all the more reason. These guys constitute a huge potential liability.
I pitch things like Oracle Database Vault, for preventive protection. You’re the DBA? Do your job, and no other. Service account? Who says it should have every right in the world? Limit it to the realm of data to which it belongs, like Peoplesoft, or SAP, or eBusiness Suite. And service accounts should never have the privileges of a DBA, like the ability to ADD or DROP tables.
Hand your builder a hammer to help build and maintain your structure. Don’t give him a sledge hammer to potentially knock it down.