2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:
ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE
As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.
Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.
con risposta 4 mesi fa
1
The Procedure rdsadmin.rdsadmin_util.grant_sys_object
is to provide grants to a specific SYS object. But GRANT ANY ROLE
is a system privilege which can not be granted by the above procedure.
con risposta 4 mesi fa
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 8 mesi fa
Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?