Amazon Web Services Relational Database Service (AWS RDS)
AWS RDS is a managed service provided by Amazon and there are certain restrictions on what an administrative account can perform on the MSSQL instance on AWS RDS. As a result of these restriction, SailPoint Microsoft SQL Server Connector supports Microsoft SQL Server on AWS RDS with the following mentioned limitations:
-
Application configuration attributes are the same.
Note
The end point URL of AWS RDS instance would have to be obtained from AWS Management Console and it must be accessible from the IdentityIQ Server. AWS Security groups must be updated for this. -
Operations which are prohibited for master user of the AWS RDS Microsoft SQL instance would also not be allowed for the service account user for SailPoint Microsoft SQL Server Connector.
-
The model system database cannot be managed using SailPoint's Microsoft SQL Server Connector and has to be added to the excluded databases list configuration. It is recommended to exclude the other system databases (namely master, tempdb and msdb) as all operations (that is, provisioning) are not supported for these databases.
-
The service account has restricted permissions to the following server roles:
-
bulkadmin
-
dbcreator
-
diskadmin
-
securityadmin
-
serveradmin
-
sysadmin
Note
It is recommended that these server roles must be made non requestable in SailPoint.Apart from the above listed server roles, for provisioning any custom server roles with service
Copygrant alter any server role to [user] -
-
If SailPoint Microsoft SQL Server Connector is to be used as a read only connector, there is a limitation from AWS RDS for assigning the following permission (in reference to the permissions mentioned under Aggregation):
Copygrant connect any database to [user]As a workaround a database account must be associated with the service account for each database that needs to be managed.
Note
Support for Windows authentication is yet to be validated for AWS RDS.