Has anyone used the proxy user with only “grant create…” privileges as opposed to “grant create any…”.
The --liquibaseSchemaName parameter doesnt seem to help to force the changelogdb tables to that schema.
By the way granting “create any” privileges is same as giving privileges to create objects in other schema which should not be given ideally.
I do. Here is my configuration:
Target schema: INDA1
Privileges: (no “ANY” privs) CREATE *, ALTER *
Liquibase “admin” ID: DBDEPLOY
Privileges: CONNECT role, “CONNECT THRU” for INDA1
Here is an example Liquibase command:
./liquibase --username=dbdeploy[inda1] --password=xxxxx --url=“jdbc:oracle:thin:@XYZ” --changeLogFile=“dbchangelog.xml” update
When that is executed all objects are created under inda1 schema, including the databasechangelog and databasechangeloglock. There is no need for “ANY” privileges and no need to use something like “–liquibaseSchemaName” parameter for this setup.
Using liquibase plugin with Maven (liquibase 4.2.2) against Oracle RDBMS.
So we access liquibase through Maven goals.
I has to use: changelogSchemaName instead of liquibaseSchemaName.
We precreate the liquibase tables in their own liquibase schema.
Liquibase proxy user schema has only connect privileges.
PROXY connection to schema owner with an ‘admin’ liquibase role (privs on liquibase log tables) and role with create table, create index, etc…
I pre-created liquibase admin schema , gave related grants .
It now works for me without "create any " privileges the issue was with “residual” ddls that had db change logs create statements which shouldnt have been there.
Thank you for sharing the solution @mohsink
This will definitely help someone else facing similar issue in future.
Thanks,
Rakhi Agrawal
It seems you’re trying to limit the permissions for security reasons, which makes sense. Granting “create any” can be risky since it allows the creation of objects in any schema, which could lead to unintended consequences. Using “grant create” is a safer approach, but I’ve also noticed that the --liquibaseSchemaName parameter doesn’t always force the changelog tables into the desired schema.
I’ve been exploring the proxy user setup too, and honestly, granting create any always felt like overkill to me—it’s like handing someone the keys to the kingdom when all they needed was access to the pantry. The way I see it, limiting privileges wherever possible is just good practice. I recently stumbled across something called The Most Light Icon Complex Proxy while diving into LightningProxies—have you heard of it? It caught my eye because it’s designed to keep things minimal while still being functional for specific use cases like this. Maybe worth a look if you’re trying to avoid over-granting but still need flexibility.
