Re: Question on group privilege

From: Pap <oracle.developer35_at_gmail.com>
Date: Mon, 15 Nov 2021 23:14:00 +0530
Message-ID: <CAEjw_fiWbtZd4ELL0i8QBi4oYEAKwGewczG0p6J86M-48me4YA_at_mail.gmail.com>

Thank you. This seems to be a lot of privileges. Are all of these are minimum required to be able to run sql tuning advisor/create profile/baselines? I just want to ensure to not provide any additional privileges which are not needed. And just to go with minimum required ones. Is " ADMINISTER SQL MANAGEMENT OBJECT" just a wrapper of those create/alter/drop profile privilege? or does it have some other elevated privilege too?

On Mon, Nov 15, 2021 at 12:09 AM Lok P <loknath.73_at_gmail.com> wrote:

> I think you will need below privilege for the performance group to be able
> to run tuning advisor and create profile/baseline etc.
>
> ADVISOR :- For tuning advisor
> ADMINISTER SQL TUNING SET :- For able to create and modify sql tuning set
> created by self
> ADMINISTER ANY SQL TUNING SET :- For able to modify sql tuning set of any
> user
>
> CREATE ANY SQL PROFILE :- For creating Sql profile
> ALTER ANY SQL PROFILE :- For enabling/disabling Sql profile
> DROP ANY SQL PROFILE :- For dropping Sql profile
>
> ADMINISTER SQL MANAGEMENT OBJECT :- Above three profile specific roles are
> now deprecated and replaced with this new role.
>
> In addition to above you may need - EXECUTE ON DBMS_SQLTUNE.
>
> On Sun, Nov 14, 2021 at 12:10 AM Pap <oracle.developer35_at_gmail.com> wrote:
>
>> Hi, We have a team which is going to mainly look into database
>> performance issues and will not do any administrative work(say e.g. script
>> deployment,backup recovery, upgrade, migration, replication etc). And we
>> want to make sure to have required privileges to the performance group but
>> no elevated privilege should be given.
>>
>> What I can think of is, mainly to investigate the historical and current
>> performance issues in the production database, we should have a "select
>> catalogue role" so that all the dba_* views can be read/queried along with
>> application tables. And also they should be able to run the sql tuning
>> advisor , create profile/baselines/patch etc. I think 11.2 was creating a
>> profile role specifically. But 19C has something to replace that and a
>> superior one called 'ADMINISTER SQL MANAGEMENT OBJECT'. So I want to
>> understand, is this ADMINISTER SQL MANAGEMENT OBJECT privilege is safe
>> without any elevated privilege underlying within? And/Or if any additional
>> privilege is required for this group?
>>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Nov 15 2021 - 18:44:00 CET

This message: [ Message body ]
Next message: Lok P: "Re: Things to consider during upgrade/migration"
Previous message: Mark W. Farnham: "RE: Things to consider during upgrade/migration"
In reply to: Lok P: "Re: Question on group privilege"
In reply to Lok P: "Re: Question on group privilege"
Next in thread: Pap: "Re: Question on group privilege"
Reply: Pap: "Re: Question on group privilege"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message