"When enabling the bundle while ensuring UBAC remains disabled, a key approach is configuring session policies to restrict secondary role usage across the account. UBAC is designed to function only when a user has all secondary roles activated. To prevent this, establish a session policy that explicitly disallows secondary roles for all users. By implementing this restriction, you can maintain control over role-based access while still leveraging the bundle's capabilities."
"Modify the session policy to prohibit secondary roles: ALTER SESSION POLICY DISABLE_UBAC SET ALLOWED_SECONDARY_ROLES = (); Assign the session policy to the account: ALTER ACCOUNT SET SESSION POLICY DISABLE_UBAC; Now, if a user attempts to activate a secondary role using the USE SECONDARY ROLES command-for example: USE SECONDARY ROLES DBA_GROUP; They will encounter the following error: SQL execution error: USE SECONDARY ROLES '[DBA_GROUP]' not allowed as per session policy."
Configure session policies to prevent secondary role activation to disable UBAC while retaining the bundle. Set ALLOWED_SECONDARY_ROLES = () in a session policy and assign it at the account level to block all users from using secondary roles. Apply the session policy at the user level to restrict individual users; user-level policies override account-level policies. Attempts to enable secondary roles after the policy is applied result in a SQL execution error preventing USE SECONDARY ROLES. This approach preserves role-based access control while ensuring UBAC remains inactive despite the bundle being enabled.
Read at Medium
Unable to calculate read time
Collection
[
|
...
]