This content has been marked as final. Show 2 replies
Users always have full privileges on any workspace(s) that they create. The only additional privilege that is needed to merge the child workspace is the ACCESS privilege on the parent workspace. Since you are granting ACCESS_ANY_WORKSPACE to the user, they would have all the necessary privileges to merge, and there is no way to avoid this without removing one or more of these privileges.
However, one possibility would be to create a trigger that only executed during merge operations using dbms_wm.SetTriggerEvents, and raised an error anytime a user other than the Auditor user attempted to merge a workspace. The other possibility is to create a separate user to create all of the workspaces. The auditor would still have the ACCESS_ANY_WORKSPACE privilege, but would not be able to merge the workspace without the privilege being explicitly granted since they would no longer own the workspace.
I figured this was a works as desgined. I think I'll try the second option as it should be easier to code.