2 個答案
- 最新
- 最多得票
- 最多評論
1
Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:
ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE
As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.
Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.
已回答 4 個月前
1
The Procedure rdsadmin.rdsadmin_util.grant_sys_object
is to provide grants to a specific SYS object. But GRANT ANY ROLE
is a system privilege which can not be granted by the above procedure.
已回答 4 個月前
相關內容
- 已提問 10 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 2 年前
Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?