使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

RDS Account Permissions

0

Hi I migrated an oracle 19c DB from on-premise to RDS using data pump exp/imp. I noticed one application schema failed to be granted a permission "grant any role". I used the RDS master account for the grants but still did not work. grant grant any role to "MYAPP"; Error report ORA-01031: insufficient Privileges

Is there an API or a way to grant this since it seems to be only permissable by "sys" account which is not available on RDS.

Thanks,

主题
迁移与现代化分析数据库AWS 架构完善的框架
标签
AWS 数据库迁移服务Amazon Relational Database Service甲骨文安全适用于 SQL Oracle 的 RDS Custom 架构
语言
English
sam15
已提问 4 个月前565 查看次数
2 回答
1
已接受的回答

Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:

ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE

As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.

Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.

AWS
Sudip
已回答 4 个月前
profile picture
专家
Gary Mclean
已审核 2 个月前
  • sam15
    4 个月前

    Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?

1

The Procedure rdsadmin.rdsadmin_util.grant_sys_object is to provide grants to a specific SYS object. But GRANT ANY ROLE is a system privilege which can not be granted by the above procedure.

AWS
Sudip
已回答 4 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容