Amazon RDS for Oracle RDSADMIN question

Question

Hello Support,
We are running Standard Edition Oracle 21g within the Amazon RDS for Oracle (managed service) environment. Some questions have come up who need to know the following:

I know that both the SYS and SYSTEM users are restricted users and can't be logged into or changed. Is this the case with the RDSADMIN user?

Any supporting documentation would be helpful.

Thank you,

Rob C

Sachin_M · Answer

Hello Rob,

Yes, you are correct about the RDSADMIN user having similar restrictions to SYS and SYSTEM users in Amazon RDS for Oracle.

RDSADMIN User Access Restrictions:

The RDSADMIN user is also a restricted, AWS-managed user that you cannot log into directly. This is consistent with the managed service model of Amazon RDS for Oracle.

How RDSADMIN Works:
Instead of direct access, AWS provides the RDSADMIN.RDSADMIN_UTIL package that contains stored procedures and functions to perform administrative tasks that would normally require SYS or SYSTEM privileges. The master user can execute these procedures, but cannot log in as RDSADMIN directly.

Supporting Documentation:
* RDS for Oracle Users and Privileges: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Concepts.Privileges.html 
* RDS for Oracle Limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Concepts.limitations.html 
* Privileged Access Documentation: https://docs.aws.amazon.com/prescriptive-guidance/latest/replatform-oracle-database-options/administration.html

Riku_Kobayashi · Answer

Hello.

I think the explanation in the following document is relevant:  
The master user is granted the DBA role, but because the ALTER SYSTEM and ALTER DATABASE privileges have been REVOKEd from the DBA role, these SQL statements cannot be executed by the master user.  
Instead, packages and stored procedures of the RDSADMIN user will be executed.  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Concepts.limitations.html  
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Concepts.Privileges.html  
> When you create an Amazon RDS for Oracle DB instance, the default master user has most of the maximum user permissions on the DB instance. Use the master user account for any administrative tasks, such as creating additional user accounts in your database. Because RDS is a managed service, you aren't allowed to log in as SYS and SYSTEM, and thus don't have SYSDBA privileges.

I don't think you can log in to RDSADMIN either, as it's an AWS managed user.

Amazon RDS for Oracle RDSADMIN question

回答を追加する

関連するコンテンツ