Amazon Web Services Relational Database Service (AWS RDS)

AWS RDS is a managed service provided by Amazon and there are certain restrictions on what an administrative account can perform on the MSSQL instance on AWS RDS. As a result of these restriction, SailPoint Microsoft SQL Server Connector supports Microsoft SQL Server on AWS RDS with the following mentioned limitations:

  • The endpoint URL of the AWS RDS instance must be obtained from the AWS Management Console, and it must be accessible from the Microsoft SQL Server source. The AWS Security groups must be updated.

    Note
    The source configuration attributes are the same.

  • Operations which are prohibited for master user of the AWS RDS Microsoft SQL instance would also not be allowed for the service account user for SailPoint Microsoft SQL Server Connector.

  • The model system database cannot be managed using SailPoint's Microsoft SQL Server Connector and has to be added to the excluded databases list configuration. It is recommended to exclude the other system databases (namely master, tempdb and msdb) as all operations (that is, provisioning) are not supported for these databases.

  • The service account has restricted permissions to the following server roles:

    • bulkadmin

    • dbcreator

    • diskadmin

    • securityadmin

    • serveradmin

    • sysadmin

    Note
    It is recommended that these server roles must be made non requestable in SailPoint.

    Apart from the above listed server roles, for provisioning any custom server roles with service account, the following permission must be assigned to the service account:

    Copy 
    grant alter any server role to [account] 

  • If SailPoint Microsoft SQL Server Connector is to be used as a read only connector, there is a limitation from AWS RDS for assigning the following permission (in reference to the permissions mentioned under Aggregation):

    Copy 
    grant connect any database to [account]

    As a workaround a database account must be associated with the service account for each database that needs to be managed.

    Note
    Support for Windows authentication is yet to be validated for AWS RDS.

  • Few users such as the master and rdsa users can be aggregated, but provisioning operations cannot be performed on these users by the Microsoft SQL Server source.