On 2023-11-04 21:42:34 +0000, Brent Wood wrote:
> >> We have 2 sets of database user groups –
> >>
> >> 1. App – who owns the application schemas (and tables)
> >> 2. Support – who provides db support
> >>
> >> We want Support users to have no SELECT or DML privilege but only ALTER
> TABLE
> >> to perform any troubleshooting in the database.
>
> >This seems strange to me. What kind of troubleshooting requires to
> >ability to ALTER TABLE but not to do DML?
>
> Where your db admin & data admin are separated. Data security issues can
> require minimal access to data, which a dba does not necessarily require.
> Especially when the DBA role is contracted out.
>
> Sort of along this line, we have offloaded user management to AD, so our DB
> user management is now carried out via in-house IT, who are not DBA's and have
> no access to data.
This doesn't answer the question why ALTER TABLE privilege would be
required.
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | hjp@hjp.at | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"