While there is no single set of procedures that bests fit all the varieties of system configurations possible and meet all site requirements, consider the following suggestions for best practices in creating users.
- Create separate users for the security administrator and database administrator.
Establish a security administrator user to perform security-related tasks. The biggest threat to security is misuse of information or privileges by authorized users. Do not give a single user the privileges for everything. Do not give an administrative user unnecessary access to anything.
- Make sure all users are uniquely identified.Do not allow multiple users to log on to Vantage using the same user name.
If you set up users as unique, you can monitor their activities and more likely identify the source of a security breach. If users cannot use a generic or shared username, each user is accountable for their own actions. Also, you can decide whether unique users can view information protected by row-level security constraints.
- Consider the function of the user. Create administrative users under separate users/databases so that privileges can be granted from the owning user/database. For example, the HR database and Marketing database can have separate administrative users to manage privileges for their respective users.
- For nonadministrative users, if possible, assign the user to a role with the required privileges rather than granting privileges to the user directly. Managing privileges is easier with roles. Also create profiles for non-administrative users (see Creating User Profiles).
- Limit the permanent and spool space of users and grant additional space later if necessary. Limit spool space using a profile allows you to protect the system from runaway queries.