Database Reference
In-Depth Information
Figure 17-1.
First screen in Enterprise Manager—summary page
An interesting point about EM is that security practitioners and auditors rarely get their hands on it and in many
circumstances are not aware that it exists. This is partly the reason why separate security monitoring and scanning
tools abound—because the DBAs don't grant EM access to the folks responsible for securing and auditing. This is
understandable as EM really does give transparency into an estate and a busy DBA with overzealous auditors is likely
to want to hide their estate rather than giving a competing department a stick to beat the database team with. I would
like to initiate an improvement in this status quo, and so does EM12c, as evidenced by its specialized auditor role
with just View privileges—not Administrator. It is worth it to have auditors and security folks grant the DBA team
“indemnity from prosecution” as an inducement to gain this access to EM. An “amnesty period” may be required
simply to reconcile the gap between what the compliance auditors have thought was happening and what has actually
been happening.