On 11/4/23 16:53, Peter J. Holzer wrote:
> On 2023-11-04 21:42:34 +0000, Brent Wood wrote:
>>>> We have 2 sets of database user groups –
>>>>
>>>> 1. App – who owns the application schemas (and tables)
>>>> 2. Support – who provides db support
>>>>
>>>> We want Support users to have no SELECT or DML privilege but only ALTER
>> TABLE
>>>> to perform any troubleshooting in the database.
>>> This seems strange to me. What kind of troubleshooting requires to
>>> ability to ALTER TABLE but not to do DML?
>> Where your db admin & data admin are separated. Data security issues can
>> require minimal access to data, which a dba does not necessarily require.
>> Especially when the DBA role is contracted out.
>>
>> Sort of along this line, we have offloaded user management to AD, so our DB
>> user management is now carried out via in-house IT, who are not DBA's and have
>> no access to data.
> This doesn't answer the question why ALTER TABLE privilege would be
> required.
I bet the Good Idea Fairy whispered something into the CISO's ear.
--
Born in Arizona, moved to Babylonia.