Amazon Web Services Relational Database Service (AWS RDS)
AWS RDS Oracle is a managed service provided by Amazon that has certain restrictions on what an administrative account can perform on the Oracle Database instance on AWS RDS. As a result of these restrictions, the SailPoint Oracle connector supports Oracle on AWS RDS with the following limitations:
-
Application configuration attributes are the same.
-
By default, the Oracle Database connector aggregates all the roles, system privileges, and profiles as entitlements where profiles are not requestable. Among the aggregated roles/system privileges, the master user does not have all the permissions for provisioning on an AWS RDS instance.
-
For creation of the service account, the following permissions (in reference to the permissions mentioned in Required Permissions) cannot be assigned to the service account by the master user:
-
GRANT GRANT ANY ROLE TO ${UserName}; -
GRANT GRANT ANY PRIVILEGE TO ${UserName}; -
GRANT SELECT ON dba_col_privs TO ${UserName}; -
GRANT SELECT ON V_$version TO ${UserName}; -
GRANT SELECT on V_$PWFILE_USERS to ${UserName};
-
-
In order to enable the service account to grant the role (which is allowed on RDS) to a user, the following permission must be given to the service account through the master user:
GRANT <RoleName> TO ${UserName} WITH ADMIN OPTIONFor assigning the service user permissions, use the SQL script located at this location: https://community.sailpoint.com/docs/DOC-11323
This script grants all the permissions available with the master user WITH ADMIN OPTION=YES to the service user.
- In cases where you use custom roles created by the master user or any other user which is equivalent to the master, the owner of the role must assign the role to the service user using the WITH ADMIN OPTION.
- For the table/system privileges, the revoke option is available with the user who has granted them.