- Newest
- Most votes
- Most comments
I believe not, an Oracle user account with the DBA role in Amazon RDS for Oracle will not have the exact same privileges as the default master account. While the DBA role grants administrative capabilities, RDS restricts certain privileges to maintain the managed service model.
Creating an Oracle user account in Amazon RDS Oracle and granting it the DBA role will provide it with significant administrative privileges. However, it will not have the same level of access and capabilities as the default master user account created when the RDS instance was initialized. The difference lies in the way that Amazon RDS manages permissions in a controlled environment. Certain tasks, such as managing RDS-specific features, performing backups at the instance level, or accessing system-defined RDS administrative tables, are exclusively available to the original master user.
For example, as seen in the AWS blog post on cloning permissions in RDS for SQL Server, AWS provides a method to duplicate master account permissions to a new login for RDS SQL Server environments. This approach primarily focuses on replicating server-level and database-level permissions through a stored procedure such as usp_rds_clone_login. However, even with permissions cloned successfully, system-level tasks tied to the managed aspects of RDS (like access to resources beyond the logical database) will still be restricted. This is relevant when comparing DBA user roles in Oracle, where certain sensitive operations will remain inaccessible to maintain the integrity of the managed database.
For detailed guidance on creating a user with similar permissions, you can explore the provided cloning methodology in the AWS blog post. This process may serve as a practical model, but functionally, it also highlights the constraints of the managed environment, especially in non-SQL Server RDS engines like Oracle.
No, you can create a user with the same permission as RDS master user. according to the documentation, this are the privileges and roles assigned to master user in RDS oracle.
Privileges:ADMINISTER DATABASE TRIGGER,ALTER DATABASE LINK,ALTER PUBLIC DATABASE LINK, AUDIT SYSTEM,CHANGE NOTIFICATION, DROP ANY DIRECTORY,EXEMPT ACCESS POLICY,EXEMPT IDENTITY POLICY,EXEMPT REDACTION POLICY,FLASHBACK ANY TABLE, GRANT ANY OBJECT PRIVILEGE,RESTRICTED SESSION,SELECT ANY TABLE,UNLIMITED TABLESPACE
Rol: DBA.
Note The DBA role is exempt from the following privileges: ALTER DATABASE,ALTER SYSTEM, CREATE ANY DIRECTORY,CREATE EXTERNAL JOB,CREATE PLUGGABLE DATABASE, GRANT ANY PRIVILEGE,GRANT ANY ROLE,READ ANY FILE GROUP
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.MasterAccounts.html
Based on you reply, all I need is to create an oracle user account "Sam" and then grant that account the "DBA" role plus the following permissions and it would be identical to the master account? I wonder if the GRANTS for these permissions below will succeed and not restricted somehow.
ADMINISTER DATABASE TRIGGER,ALTER DATABASE LINK,ALTER PUBLIC DATABASE LINK, AUDIT SYSTEM,CHANGE NOTIFICATION, DROP ANY DIRECTORY,EXEMPT ACCESS POLICY,EXEMPT IDENTITY POLICY,EXEMPT REDACTION POLICY,FLASHBACK ANY TABLE, GRANT ANY OBJECT PRIVILEGE,RESTRICTED SESSION,SELECT ANY TABLE,UNLIMITED TABLESPACE
Relevant content
- asked a year ago
- asked 3 years ago
- asked 2 years ago
- asked 3 years ago
so you are not sure about the answer. Cant this be verified by checking the system privileges granted to "master" and see if the same privileges can be granted to another user account?