AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

RDS Account Permissions

0

Hi I migrated an oracle 19c DB from on-premise to RDS using data pump exp/imp. I noticed one application schema failed to be granted a permission "grant any role". I used the RDS master account for the grants but still did not work. grant grant any role to "MYAPP"; Error report ORA-01031: insufficient Privileges

Is there an API or a way to grant this since it seems to be only permissable by "sys" account which is not available on RDS.

Thanks,

주제
마이그레이션 및 현대화분석데이터베이스AWS Well-Architected 프레임워크
태그
AWS 데이터베이스 마이그레이션 서비스아마존 Relational Database Service오라클보안SQL Oracle용 RDS Custom
언어
English
sam15
질문됨 4달 전565회 조회
2개 답변
1
수락된 답변

Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:

ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE

As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.

Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.

AWS
Sudip
답변함 4달 전
profile picture
전문가
Gary Mclean
검토됨 2달 전
  • sam15
    4달 전

    Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?

1

The Procedure rdsadmin.rdsadmin_util.grant_sys_object is to provide grants to a specific SYS object. But GRANT ANY ROLE is a system privilege which can not be granted by the above procedure.

AWS
Sudip
답변함 4달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠