Still wanting an answer... MANAGE ANY DBSPACE is not acceptable from a security point of view, when it comes to a user id and password that is used only for backups... it's too powerfuld.

Apparently the BACKUP DATABASE system privilege is not sufficient to run dbbackup with the -x option; it produces the error message "unable to delete transaction log".

What is the minimum required?

Granting the MANAGE ANY DBSPACE system privilege does allow dbbackup -x to run, but that seems... rather ... excessive.

Might as well GRANT NSA privileges, er, GRANT DBA :)

alt text

asked 12 Jul '13, 02:40

Breck%20Carter's gravatar image

Breck Carter
accept rate: 21%

edited 01 Jan '14, 11:38

FWIW, here's the link to this question's prequel:

How do I diagnose dbbackup -x "unable to delete transaction log"?

(02 Jan '14, 03:17) Volker Barth

The privilege we check during the delete transaction log operation is indeed MANAGE ANY DBSPACE. Whether it should be or not is debatable (it should probably be BACKUP DATABASE), but that's the one we currently check.

permanent link

answered 02 Jan '14, 11:55

Graeme%20Perrow's gravatar image

Graeme Perrow
accept rate: 51%

edited 02 Jan '14, 12:15

Mark%20Culp's gravatar image

Mark Culp


I can guess how it happened: at the micro (engineer) level it "makes sense" since deleting a log is indeed "managing a dbspace". At the macro (user) level, not so much :)

IMO if the log is being deleted as part of a backup operation, then the privilege checked should indeed be BACKUP DATABASE (or nothing, since presumably BACKUP DATABASE is known to be in effect since it IS, after all, a backup :)

If there is some other context in which the log is deleted, then perhaps some other privilege is required.

If this is the only goofiness in the massive privilege overhall, then good on ya... a better record than :)

(02 Jan '14, 14:45) Breck Carter
Replies hidden

Just to add:

In case you are re-thinking the granularity of the privileges, one further issue with MANAGE ANY DBSPACE may be the following:

Currently ALTER DBSPACE ADD [SYSTEM | TRANSLOG] 100 MB etc. requires that privilege, too. In my experience this is often much more of a simple "prevent database file fragmentation" maintenance task than a database design decision - in contrast to the creation, dropping or renaming of additional dbspaces.

Therefore I would think it could be changed to require less or different privileges, say SERVER OPERATOR.

(Of course one could create a particular STP to allow non-privileged users to pre-grow the database/translog...)

(31 Jan '14, 19:18) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 12 Jul '13, 02:40

question was seen: 1,272 times

last updated: 31 Jan '14, 19:18