The forum will experience an outage sometime between February 10 at 7:00pm EST and February 12 at 11:59 EST for installation of security updates. The actual time and duration of the outage are unknown but attempts will be made to minimize the downtime. We apologize for any inconvenience.

Still wanting an answer... MANAGE ANY DBSPACE is not acceptable from a security point of view, when it comes to a user id and password that is used only for backups... it's too powerfuld.


Apparently the 16.0.0.1512 BACKUP DATABASE system privilege is not sufficient to run dbbackup with the -x option; it produces the error message "unable to delete transaction log".

What is the minimum required?

Granting the MANAGE ANY DBSPACE system privilege does allow dbbackup -x to run, but that seems... rather ... excessive.

Might as well GRANT NSA privileges, er, GRANT DBA :)

alt text

asked 12 Jul '13, 02:40

Breck%20Carter's gravatar image

Breck Carter
26.6k418576824
accept rate: 21%

edited 01 Jan '14, 11:38

FWIW, here's the link to this question's prequel:

How do I diagnose dbbackup -x "unable to delete transaction log"?

(02 Jan '14, 03:17) Volker Barth

The privilege we check during the delete transaction log operation is indeed MANAGE ANY DBSPACE. Whether it should be or not is debatable (it should probably be BACKUP DATABASE), but that's the one we currently check.

permanent link

answered 02 Jan '14, 11:55

Graeme%20Perrow's gravatar image

Graeme Perrow
8.4k369107
accept rate: 51%

edited 02 Jan '14, 12:15

Mark%20Culp's gravatar image

Mark Culp
22.3k9129262

1

I can guess how it happened: at the micro (engineer) level it "makes sense" since deleting a log is indeed "managing a dbspace". At the macro (user) level, not so much :)

IMO if the log is being deleted as part of a backup operation, then the privilege checked should indeed be BACKUP DATABASE (or nothing, since presumably BACKUP DATABASE is known to be in effect since it IS, after all, a backup :)

If there is some other context in which the log is deleted, then perhaps some other privilege is required.

If this is the only goofiness in the massive privilege overhall, then good on ya... a better record than healthcare.gov :)

(02 Jan '14, 14:45) Breck Carter
Replies hidden
2

Just to add:

In case you are re-thinking the granularity of the privileges, one further issue with MANAGE ANY DBSPACE may be the following:

Currently ALTER DBSPACE ADD [SYSTEM | TRANSLOG] 100 MB etc. requires that privilege, too. In my experience this is often much more of a simple "prevent database file fragmentation" maintenance task than a database design decision - in contrast to the creation, dropping or renaming of additional dbspaces.

Therefore I would think it could be changed to require less or different privileges, say SERVER OPERATOR.

(Of course one could create a particular STP to allow non-privileged users to pre-grow the database/translog...)

(31 Jan '14, 19:18) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×37

question asked: 12 Jul '13, 02:40

question was seen: 1,245 times

last updated: 31 Jan '14, 19:18