Proxy user and "create any" privileges : oracle

Has anyone used the proxy user with only “grant create…” privileges as opposed to “grant create any…”.

The --liquibaseSchemaName parameter doesnt seem to help to force the changelogdb tables to that schema.

By the way granting “create any” privileges is same as giving privileges to create objects in other schema which should not be given ideally.

I do. Here is my configuration:

Target schema: INDA1
Privileges: (no “ANY” privs) CREATE *, ALTER *

Liquibase “admin” ID: DBDEPLOY
Privileges: CONNECT role, “CONNECT THRU” for INDA1

Here is an example Liquibase command:

./liquibase --username=dbdeploy[inda1] --password=xxxxx --url=“jdbc:oracle:thin:@XYZ” --changeLogFile=“dbchangelog.xml” update

When that is executed all objects are created under inda1 schema, including the databasechangelog and databasechangeloglock. There is no need for “ANY” privileges and no need to use something like “–liquibaseSchemaName” parameter for this setup.

Using liquibase plugin with Maven (liquibase 4.2.2) against Oracle RDBMS.
So we access liquibase through Maven goals.
I has to use: changelogSchemaName instead of liquibaseSchemaName.

We precreate the liquibase tables in their own liquibase schema.
Liquibase proxy user schema has only connect privileges.

PROXY connection to schema owner with an ‘admin’ liquibase role (privs on liquibase log tables) and role with create table, create index, etc…

I pre-created liquibase admin schema , gave related grants .
It now works for me without "create any " privileges the issue was with “residual” ddls that had db change logs create statements which shouldnt have been there.

Thank you for sharing the solution @mohsink
This will definitely help someone else facing similar issue in future.

Rakhi Agrawal