IBM Data & AI

Welcome to the idea forum for IBM Data & AI (Formerly Analytics) Clients! 

 

IBM Employees:

The correct URL for entering your ideas is https://hybridcloudunit-internal.ideas.aha.io

 

Clients:

Our team welcomes any feedback  and suggestions you have for improving our offerings / products!  This forum allows us to connect your offering / product improvement ideas with IBM product and engineering teams.

 

If you have not registered on this portal please click on the following link and register.  To complete registration you will need to open the email you will receive from Aha to confirm your identity.  https://ibm.biz/AnalyticsIdeasPortalRegister

 

Provide more granular database-level privileges than just CONNECT, RESOURCE and DBA

We have a requirement to support a code deployment role where a user, whose job role is not a DBA, can release code into a given database.

The type of things they would be doing is:
* Creating and dropping procedures, synonyms, triggers, indices and constraints.
* Creating, dropping and altering tables.
* Updating data either directly or by calling stored procedures.

The requirement is that these users would create all these objects in the schema of the application owner and not their own schema.

Currently granting the DBA privilege in a database is the only way to achieve this.

However, the DBA privilege gives these users more access than we'd like. There are some tables we might not want them to select data from and we would not want them to run certain commands like 'alter fragment' or be able to grant privileges.

In Oracle they have created individual system privileges for all actions such as "select any table", "execute any procedure" and "create any synonym". The privileges CONNECT, RESOURCE and DBA are now roles made up of these individual privileges and maintain compatibility with the standards.

I don't expect that any Informix implementation should copy Oracle but I think more fine-grained privileges are needed in a world where there are more audits and compliance criteria than ever before (PCI-DSS and so on).
  • Guest
  • Dec 24 2018
  • Future Consideration
Why is it useful?
Who would benefit from this IDEA?
How should it work?
Idea Priority Medium
Priority Justification
Customer Name British Sky Broadcasting
Submitting Organization
Submitter Tags
  • Attach files

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions