2 Answers
- Newest
- Most votes
- Most comments
1
Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:
ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE
As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.
Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.
answered 4 months ago
1
The Procedure rdsadmin.rdsadmin_util.grant_sys_object
is to provide grants to a specific SYS object. But GRANT ANY ROLE
is a system privilege which can not be granted by the above procedure.
answered 4 months ago
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 7 months ago
Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?