AWS AmazonRDS documentation change
Summary
Updated permissions documentation with new supported roles (db_owner, db_datareader, db_datawriter, db_accessadmin, dbcreator, securityadmin), clarified limitations, and added GRANT syntax changes
Security assessment
Changes focus on documenting security-related database roles and access control mechanisms, but there's no evidence of addressing a specific vulnerability. The updates clarify permission management capabilities and limitations.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md b/AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md index 35e4b5444..2d96a5666 100644 --- a//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md +++ b//AmazonRDS/latest/AuroraUserGuide/babelfish-permissions.md @@ -18 +18 @@ Allow login to do SELECTs/DMLs/DDLs in any database | Add login to sysadmin se -Allow login to do SELECTs/DMLs/DDLs in a database | Make login the owner of the database | ALTER AUTHORIZATION ON DATABASE::`database` TO `login` | A database can have only one owner +Allow login to do SELECTs/DMLs/DDLs in a database | Make login the owner of the database | ALTER AUTHORIZATION ON DATABASE::`database` TO `login` | A database can have only one owner. @@ -20,2 +20,8 @@ Allow database user to do SELECTs/DMLs on a schema | Grant permission to datab -Allow database user to do SELECTs/DMLs on a schema | Make database user owner of schema at schema creation time | CREATE SCHEMA `schema` AUTHORIZATION `user` | Changing schema ownership after creation isn't currently supported -Allow database user to do SELECTs/DMLs on an object | Grant permission to database user on object | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON SCHEMA::`object` TO `user` | None +Allow database user to do SELECTs/DMLs on a schema | Make database user owner of schema at schema creation time | CREATE SCHEMA `schema` AUTHORIZATION `user` | Changing schema ownership after creation isn't currently supported. +Allow database user to do SELECTs/DMLs on an object | Grant permission to database user on object | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT::`object` TO `user` | None +Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add user to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Only users can be added db_owner fixed database role. Adding roles to db_owner role is not yet supported. +Allow user or members of a custom database role to do only SELECTs in a database | Add user or role to db_datareader fixed database role | ALTER ROLE db_datareader ADD MEMBER `user` / `role` | None +Allow user or members of a custom database role to do only DMLs in a database | Add user or role to db_datawriter fixed database role | ALTER ROLE db_datawriter ADD MEMBER `user` / `role` | None +Allow user or members of a custom database role to do only DDLs in a database | Add user or role to db_accessadmin fixed database role | ALTER ROLE db_accessadmin ADD MEMBER `user` / `role` | None +Allow login to only CREATE/DROP/ALTER any database | Add login to dbcreator fixed server role | ALTER SERVER ROLE dbcreator ADD MEMBER `login` | Only those databases can be alterred on which dbcreator login has access. +Allow login to only CREATE/ALTER/DROP any login | Add login to securityadmin fixed server role | ALTER SERVER ROLE securityadmin ADD MEMBER `login` | None @@ -29,3 +35,2 @@ Use case | Action | SQL commands | Comments -Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Make login owner of database | ALTER AUTHORIZATION ON DATABASE `database` TO `login` | Adding database users/roles to db_owner role isn't currently supported -Allow database user to do only SELECTs in a database | Grant SELECT to database user on all schemas in database | GRANT SELECT ON SCHEMA::`schema` TO `user` | Database role `db_datareader` isn't currently supported -Allow database user to do DML on all objects in a database | Grant INSERT, UPDATE, DELETE to database user on all schemas in database | GRANT INSERT, UPDATE, DELETE ON SCHEMA::`schema` TO `user` | Database role `db_datawriter` isn't currently supported +Allow user to do SELECTs/DMLs on an object/schema along with option to GRANT these permissions to other users | GRANT the permissions to all the other users directly | GRANT SELECT/EXECUTE/INSERT/UPDATE/DELETE ON OBJECT/SCHEMA::`object`/`schema` TO `user` | GRANT ... WITH GRANT OPTION isn't currently supported. +Allow database user to do SELECTs/DMLs/DDLs in a database including dropping database | Add members of role to db_owner fixed database role | ALTER ROLE db_owner ADD MEMBER `user` | Adding roles to db_owner role isn't currently supported. @@ -39,7 +44,4 @@ Use case | Comments -Allow database user to do only DDLs in a database | Database role `db_ddladmin` isn't currently supported -Allow database user to only CREATE/ALTER/DROP any database role | Database role `db_securityadmin` isn't currently supported -Allow database user to only GRANT/REVOKE permissions on objects in a database | Database role `db_securityadmin` isn't currently supported -Allow database user to only CREATE/ALTER/DROP any user | Database role `db_accessadmin` isn't currently supported -Allow database user to only grant and revoke database access and alias user accounts to logins | Database role `db_accessadmin` isn't currently supported -Allow login to only CREATE/DROP any database | Server role `dbcreator` isn't currently supported -Allow login to only ALTER any login | Server role `securityadmin` isn't currently supported +Deny user or members of a custom database role to do SELECTs in a database | db_denydatareader fixed database role is not yet supported +Deny user or members of a custom database role to do DMLs in a database | db_denydatawriter fixed database role isn't currently supported. +Allow login to only KILL any database connection | processadmin fixed server role isn't currently supported. +Allow login to only add or remove linked servers | setupadmin fixed server role isn't currently supported.