RDS Account Permissions

Hi I migrated an oracle 19c DB from on-premise to RDS using data pump exp/imp. I noticed one application schema failed to be granted a permission "grant any role". I used the RDS master account for the grants but still did not work. grant grant any role to "MYAPP"; Error report ORA-01031: insufficient Privileges

Is there an API or a way to grant this since it seems to be only permissable by "sys" account which is not available on RDS.

Thanks,

トピック

移行と近代化分析データベース AWS Well-Architected Framework

タグ

AWS Database Migration Service Amazon Relational Database Service (RDS)Oracle セキュリティ SQLオラクル用RDSカスタム

言語

English

sam15

質問済み 4ヶ月前565ビュー

2回答

新しい順
投票が多い順
コメントが多い順

承認された回答

Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:

ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE

As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.

Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.

Sudip

回答済み 4ヶ月前

エキスパート

Gary Mclean

レビュー済み 2ヶ月前

sam15
4ヶ月前
Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?

The Procedure rdsadmin.rdsadmin_util.grant_sys_object is to provide grants to a specific SYS object. But GRANT ANY ROLE is a system privilege which can not be granted by the above procedure.

Sudip

回答済み 4ヶ月前

RDS Account Permissions

関連するコンテンツ