S 2.131 Separation of administrative tasks for database systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, IT Security Officer

Administrators must be appointed to ensure the proper operation of database systems. In addition to general administrative tasks, the administrators are responsible especially for user administration, including the administration of access rights. They are also responsible for all security issues relating to the database systems they support.

In addition to the safeguards described in S 2.26 Designation of an administrator and his deputy and S 3.10 Selection of a trustworthy administrator and his substitute, the following items must be taken into consideration for database systems in particular.

It is necessary to differentiate between two basic types of administrator roles:

• the general administration of the database software and
• administration of application-specific issues.

These two tasks should be performed by two different persons so that the application-specific and general database administration functions are separated accordingly.

The basic operation of the DBMS, the execution of data backups, or the archiving of databases are part of the general database administration role, for example.

In contrast, application-specific administration entails ensuring the requirements placed on the database by the individual applications are met. For example, this may include administration of the corresponding database objects, providing the users with support when they encounter problems and/or have questions, or administration of the corresponding database user IDs. The latter is only possible, though, if the administration of the database user IDs for each application is supported by the database software in a corresponding authorisation concept, i.e. when their authorisations can be separated from the general authorisations.

The general administrator sets up administrator user IDs for the application-specific tasks with the corresponding authorisations. In particular, this includes the right to create databases. In contrast, rights should be assigned to the individual users separately for each application-specific database by the administrators responsible for the corresponding applications.

Review questions:

• Are there different administrator roles for general database software administration and for the administration of the application-specific issues?
• Have the two database administrator roles for the general database software administration and for the administration of the application-specific issues been assigned to different persons according to the separation of roles?