On 11/4/23 16:53, Peter J. Holzer wrote:
On 2023-11-04 21:42:34 +0000, Brent Wood wrote:
We have 2 sets of database user groups –
1. App – who owns the application schemas (and tables)
2. Support – who provides db support
We want Support users to have no SELECT or DML privilege but only ALTER
TABLE
to perform any troubleshooting in the database.
This seems strange to me. What kind of troubleshooting requires to
ability to ALTER TABLE but not to do DML?
Where your db admin & data admin are separated. Data security issues can
require minimal access to data, which a dba does not necessarily require.
Especially when the DBA role is contracted out.
Sort of along this line, we have offloaded user management to AD, so our DB
user management is now carried out via in-house IT, who are not DBA's and have
no access to data.
This doesn't answer the question why ALTER TABLE privilege would be
required.
I bet the Good Idea Fairy whispered something into the CISO's ear.
--
Born in Arizona, moved to Babylonia.
