Discussion:
sa_role and sso_role
(too old to reply)
Bkiddo
2009-11-04 06:15:11 UTC
Permalink
Hi, looking at a table of sysloginroles, found several users with sa
and sso roles; besides sa and other extra account , isn't it a
security problem to find 8 or 7 users with this privileges assigned?

(newbie on sybase)
Carl Kayser
2009-11-04 11:35:02 UTC
Permalink
Post by Bkiddo
Hi, looking at a table of sysloginroles, found several users with sa
and sso roles; besides sa and other extra account , isn't it a
security problem to find 8 or 7 users with this privileges assigned?
(newbie on sybase)
Sort of. It depends upon who defines "security problem". It may also
depend upon your staffing needs; do you have separate SA/SSO staff available
for your production requirements? In some cases it might be adequate to
have some staff with only the SSO role and they do the real security
checking whereas the staff with both roles do only SA work in actuality.

I use SQL-BackTrack and in order to do a logical dump/load of a database
both of those roles are needed. (A logical dump/load allows me to shrink a
database as well as compactify it since everything is compiled from
syscomments and all of the data is bcp'ed in. Also the object dependencies
are corrected.)

There is an ISUG Enhancement Request
(http://my.isug.com/p/is/vi/iid=2019&type=1) for an sa_read_only role that
would provide for an SA "look and see but don't touch" capability.
Apparently this is needed in some banking environments.
Bret_Halford
2009-11-04 16:46:36 UTC
Permalink
Post by Bkiddo
Hi, looking at a table of sysloginroles, found several users with sa
and sso roles; besides sa and other extra account , isn't it a
security problem to find 8 or 7 users with this privileges assigned?
(newbie on sybase)
Having multiple users with the roles is far better than having
multiple people
all sharing the same login.

I don't think having 8 people with the roles would be that unusual for
a large company running 24x7 - you would need about that many to
have someone available on each shift with a backup for illness,
vacation, etc.
Bkiddo
2009-11-04 18:59:48 UTC
Permalink
Which query could tell me if I have several users sharing the same
login???
Carl Kayser
2009-11-05 11:10:25 UTC
Permalink
Post by Bkiddo
Which query could tell me if I have several users sharing the same
login???
No guarantees on finding users sharing an account/password. If you have
auditing set up you can check the loginname column with the client subfield
of the extrainfo column in the sysaudits_N tables. Another possibility
might be to record similar info via login triggers. I wouldn't describe
either technique as simple.

Loading...