使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

RDS Account Permissions

0

Hi I migrated an oracle 19c DB from on-premise to RDS using data pump exp/imp. I noticed one application schema failed to be granted a permission "grant any role". I used the RDS master account for the grants but still did not work. grant grant any role to "MYAPP"; Error report ORA-01031: insufficient Privileges

Is there an API or a way to grant this since it seems to be only permissable by "sys" account which is not available on RDS.

Thanks,

主題
遷移與現代化分析資料庫AWS Well-Architected Framework
標籤
AWS Database Migration ServiceAmazon Relational Database ServiceOracle安全性為 SQL Oracle 自訂的 RDS
語言
English
sam15
已提問 4 個月前檢視次數 565 次
2 個答案
1
已接受的答案

Because Amazon RDS is a managed service, the following privileges for the DBA role are not provided:

ALTER DATABASE
ALTER SYSTEM
CREATE ANY DIRECTORY
DROP ANY DIRECTORY
GRANT ANY PRIVILEGE
GRANT ANY ROLE

As security best practice, you need to grant least possible privilege to application DB user. Analyze the application and DB code (DBA_DEPENDENCIES) to derive the permission needed by the application user.

Refer https://repost.aws/knowledge-center/rds-oracle-user-privileges-roles for more info.

AWS
Sudip
已回答 4 個月前
profile picture
專家
Gary Mclean
已審閱 2 個月前
  • sam15
    4 個月前

    Excellent Info! If I understand your answer correctly, this privilege "grant any role" can not be granted to another user using the master account and the API "rdsadmin.rdsadmin_util.grant_sys_object" because the master account does not have that permission. Is this correct?

1

The Procedure rdsadmin.rdsadmin_util.grant_sys_object is to provide grants to a specific SYS object. But GRANT ANY ROLE is a system privilege which can not be granted by the above procedure.

AWS
Sudip
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容