I have a SQL function that I want every user to able to execute. I tried the following:
GRANT EXECUTE ON FUNCTION function_name TO PUBLIC;
But the users don't get the permissions.
What I'm missing?
Thanks
Related
I want to revoke execute from app.my_function function, so users with role doctor can't call it, I can't figure out what wrong with my code, I spend the whole day trying to find a solution.
CREATE SCHEMA app;
CREATE ROLE doctor;
GRANT USAGE ON SCHEMA app TO doctor;
CREATE FUNCTION app.my_function() AS $$ ... $$ LANGUAGE SQL;
REVOKE ALL ON FUNCTION app.my_function() FROM doctor;
here's the solution of my problem, I didn't know that user defined roles inherit from PUBLIC role which have EXECUTE privilege.
...
REVOKE ALL ON SCHEMA PUBLIC FROM PUBLIC;
ALTER DEFAULT PRIVILEGES REVOKE ALL ON FUNCTIONS FROM PUBLIC;
...
The default privileges for functions (which you can change with ALTER DEFAULT PRIVILEGES) allow EXECUTE to PUBLIC, that is everybody. Revoking the privilege from some other role will have no effect.
I am logged in my database with a db_owner account. I am trying to grant EXEC permission to another user: MyTestUser. The simple code is:
USE MyDB
GO
GRANT EXEC ON [MyTestUser] TO PUBLIC
The error:
Cannot find the object 'MyTestUser', because it does not exist or you do not have permission
You don't see it in the following picture cause for the sake of privacy but trust me it's there, exactly as MyTestUser
I think you may have mixed up your statement. A GRANT statement usually goes like this:
GRANT <permission> ON <what resource you want to grant access to> TO <who you want to get the access to the resource>
So your statement is saying you want PUBLIC (all users) to have rights to run EXEC statements on MyTestUser. It is expecting MyTestUser to be a function, stored procedure, etc. So if that is a user, it would fail because it can't find something executable called "MyTestUser".
Say you wanted allow to MyTestUser to execute dbo.spMySproc, you would run:
GRANT EXEC ON dbo.spMySProc TO MyTestUser
Is there a way I can grant truncate permission to a user without altering privileges in SQL Server?
The minimum permission required is ALTER on table_name. TRUNCATE TABLE permissions default to the table owner, members of the sysadmin fixed server role, and the db_owner and db_ddladmin fixed database roles, and are not transferable. However, you can incorporate the TRUNCATE TABLE statement within a module, such as a stored procedure, and grant appropriate permissions to the module using the EXECUTE AS clause.
CREATE PROCEDURE dbo.usp_Demo
WITH EXECUTE AS 'CompanyDomain\SqlUser1'
AS
SELECT user_name();
Source
You can go through this official documentation.
Create a test Login and User id then grant it execute permission on the stored procedure Truncate_Table_Loner. This id will be used to perform the truncate.
-- Grant Execute Permission
-- Setup ID on Database with Connect permission
USE master
GO
CREATE LOGIN [test_user_id] WITH PASSWORD = 'JustConnect123';
GO
USE TestSQL
GO
CREATE USER [test_user_id] FOR LOGIN [test_user_id];
GO
-- Grant Permission
GRANT EXECUTE ON dbo.Truncate_Table_Loner TO [test_user_id];
GO
I have a function named schema.func, I want to give a permission what execute schema.func to the user.
I try to use
GRANT EXECUTE ON schema.func to my_user;
but it is not working. When I perform this function it throws the error:
permission denied for schema ex
I know I can use GRANT USAGE ON SCHEMA, but this is not what I want, I just need permissions for specific functions, not all functions in the schema.
Can I do that?
First, you should allow my_user to access the other schema:
GRANT USAGE ON SCHEMA my_schema TO my_user;
This allows the execution of functions but not the access to tables. So, if my_user executes the function, it still produces an access error, if the function accesses tables etc. in my_schema. To avoid this, you may define your function as security definer:
ALTER FUNCTION my_schema.my_function(...) SECURITY DEFINER SET search_path = public;
Edit: Writing SECURITY DEFINER Functions Safely also points a way to give execute permission to specific users:
REVOKE ALL ON FUNCTION my_schema.my_function(...) FROM PUBLIC;
GRANT EXECUTE ON FUNCTION my_schema.my_function(...) TO my_user;
Please also note the hints on setting the search_path in this section.
As per PostregSQL documentation
GRANT
The FUNCTION syntax works for plain functions, aggregate functions, and window functions, but not for procedures; use PROCEDURE for those. Alternatively, use ROUTINE to refer to a function, aggregate function, window function, or procedure regardless of its precise type.
...
ALL FUNCTIONS also affects aggregate and window functions, but not procedures, again just like the specific-object GRANT command. Use ALL ROUTINES to include procedures.
try:
GRANT EXECUTE ON ROUTINE my_schema.my_function(text) TO my_user;
assuming that your function signature is something like:
my_schema.my_function(my_par text)
I'm trying to allow a stored procedure for a user, but struggling to get it right. Hopefully I'm on the right track, thanks for the help.
GO
Alter role ReportDeveloper
Add sp_GetActiveProductInfo
GRANT EXECUTE ON ReportDeveloper TO employee_usr;
Grant permission to database role not user.
USE DB_NAME;
GRANT EXECUTE ON sp_GetActiveProductInfo TO ReportDeveloper;
GO
It rather should be like below per Documentation
USE DB_NAME;
GRANT EXECUTE ON OBJECT::sp_GetActiveProductInfo
TO employee_usr;
GO
You can do it as ;
USE databse;
GRANT EXECUTE ON sp_GetActiveProductInfo TO employee_usr;
GO
If you add this user to a Role you will Grant the permission to the Role where your user is member in :
USE databse;
GRANT EXECUTE ON sp_GetActiveProductInfo TO ReportDeveloper;
GO