I will be more specific. In our environment, we created a special user group for each major product that had separate administrators. I.e. ORACLE has its own OpenVMS group number. Then we added individual user accounts in the same group with ORACLE but different member numbers.
We then gave each user the same privs as ORACLE. Within ORACLE, we defined each user to have the DBA role and all the other accessory roles that go with that. We relaxed the ORACLE directory permissions so that GROUP had the same permissions as owner. We assured that each user logged in as ORA_SAM or ORA_JACK or ORA_SALLY, etc.
ORACLE will REPEAT will work just fine and yet everyone has distinct logins. By making ORACLE its own group that isn't within the boundaries of MAXSYSGROUP, you can run the utilities you need from any of the ORAxxx accounts described above, because the ORACLE warnings about "SYSTEM not allowed to issue this command" don't ever kick in. You might have SYSPRV when you do your work as ORAxxx, but you aren't a "true" member of SYSTEM.
If you think YOU have auditing issues, just imagine what I have with a Dept. of Defense system. Yet because of our design and the care we exhibit in splitting out our users as described above, we have a 3-year Authority To Operate on a Dept. of Defense network. That's as much as anyone ever gets. You haven't SEEN auditing until you've had to provide DoD auditing reports.
Sami, I most strongly urge you to consider the above line of thinking, even if you don't do it exactly like I described. Just come close and you won't have an issue.
Another trick we played was that the ORAxxx accounts come up with all the ORACLE privileges but not by default. They are authorized but not enabled. The ORACLE DBAs have to issue a second command to enable their privileges, just to sort of force them to pay attention to what they are doing. AND they know I've got auditing turned on and operator logging wide open. So anything they do, I'll know about.
Sr. Systems Janitor
