Vikas:
OK, so to be clear, you do not want your DBAs to be able to become user "informix" so that they cannot query user databases, but you do want them to be able to start and stop the instance(s), run all onstat and other DBA utilities (ex: oncheck, onbar, ontape, onparams, onspaces, archecker, onpsm, etc.). Correct?
So, just add those user ids to group "informix" in the OS (assuming UNIX/Linux OS) and revoke connect permissions from those user ids and from the pseudo-user "public" on all user databases. That should do it. If you want to be paranoid you can also explicitly revoke any existing permissions from those ids and from "public" on every table in each user database.
Note that the downside of this is that your DBAs will not be able to alter tables or indexes, create new tables and indexes, grant privileges to new users in those databases, etc. unless you grant them DBA privileges and if you do that, then any DBA who has evil intent can just grant privileges to themselves to access the data anyway.
Honestly, I do not know of any site that does not allow DBAs to become "informix", at least by using sudo su ... Sites that are than protective of their data just turn auditing on instead so their security folk can see who has done what.
Art
------------------------------
Art S. Kagel, President and Principal Consultant
ASK Database Management Corp.
www.askdbmgt.com------------------------------
Original Message:
Sent: Thu July 04, 2024 02:10 AM
From: Vikas H
Subject: How to set up DBSA role or equivalent
Dear Art,
The current setup allows informix id to have unlimited access to the data. I want to revoke the informix access from the dba and give him only administrative access such that he can perform all the administrative tasks but cannot access any data using dbaccess.
The documentation suggests that I have to use one of onconfig parameter and mention the dba's user id against it and add that id to informix group (so I don't need to change oninit permissions).
Not sure if the dba's id in informix group and with dbsa role will still get the access to data in tables and will it be safe to start the instance with the dba's id and not with informix?
Regards,
Vikas Hivarkar
Original Message:
Sent: 7/3/2024 2:36:00 PM
From: Art Kagel
Subject: RE: How to set up DBSA role or equivalent
Vikas:
The DBSA role is used to allow other user ids to do whatever user "informix" can do.
What is it you want to accomplish?
Art
------------------------------
Art S. Kagel, President and Principal Consultant
ASK Database Management Corp.
www.askdbmgt.com
Original Message:
Sent: Wed July 03, 2024 09:51 AM
From: Vikas H
Subject: How to set up DBSA role or equivalent
Dear All,
Informix 14 on Hp-Unix
Need to restrict the usage of "INFORMIX" user Id by DBA's. Is DBSA role a good option and can someone help me with how to use it. I checked the documentation but could not figure out myself.
Regards,
Vikas H
------------------------------
Vikas H
------------------------------