2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:
ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE
As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.
Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.
답변함 4달 전
1
The Procedure rdsadmin.rdsadmin_util.grant_sys_object
is to provide grants to a specific SYS object. But GRANT ANY ROLE
is a system privilege which can not be granted by the above procedure.
답변함 4달 전
관련 콘텐츠
- AWS 공식업데이트됨 일 년 전
- AWS 공식업데이트됨 3년 전
Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?