Currently, I am granting access to my colleagues using the following code:
Grant select on tablename to user1, user2, user3 with grant option;
However, I created a table that contains the user id and name and my goal is to grant access to a certain table to all the users within the column that contains the list of active users.
Something like: Grant select on database.tablename to (select userid from table_ative_users) with grant option;
I used to do it using a Stored Procedure but right now, I can't use it, so, I am looking for an alternative.
Many thanks
Related
Using SYSTEM user I create a new user. After that I try to give this user access to specific columns only in 1 table, but get the error that this table does not exist. Meaning that SYSTEM user does not have access to this table. Unfortunately, the user that has access to the normal production tables cannot manage user privileges and access. What are my options?
CREATE USER test1 IDENTIFIED BY 123456;
GRANT UPDATE (extinvno, invoiceno) ON invoice TO test1;
Edit: Solution
Created 3 views that I needed. GRANT-ed the new user SELECT and UPDATE on 2 of the views and SELET on the 3rd. For the new user I had to use the chema to refer to the views: chema.view
If SYSTEM doesn't own the table then you need to specify who does; for example if the table was in the HR schema you would do:
GRANT UPDATE (extinvno, invoiceno) ON HR.invoice TO test1;
... using the real owning schema name, of course.
It isn't that SYSTEM doesn't have access to the table; it's that by default it's looking for SYSTEM.invoice, which doesn't exist.
The table owner could also grant the update privilege to test1.
I created a user and granted him all permissions, i used: GRANT ALL PRIVILEGES TO user1;
but then i tried to select rows from a table that i created with the admin user like this:
select * from sys.table it gives me an error message table or view doesn't exist
then i did: Grant select on table to user1 and it worked.
so does all privileges not include select?
As is often the case, Oracle uses words "approximately".
In this case, ALL doesn't mean "all". From the documentation:
ALL PRIVILEGES
Specify ALL PRIVILEGES to grant all of the system privileges listed in
Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and
ALTER PUBLIC DATABASE LINK privileges.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/sqlrf/GRANT.html#GUID-20B4E2C0-A7F8-4BC8-A5E8-BE61BDC41AC3
Notice the "except" part. "All" should mean "all", that is, "no exception"; yet........
Relevant to your question: ALL PRIVILEGES does not include SELECT ANY DICTIONARY. Most likely, whatever table or view you were trying to select from is a dictionary table (or view); which explains why granting ALL PRIVILEGES didn't work, but granting access directly on the table/view did.
If you want to grant access to all dictionary objects, you can grant SELECT ANY DICTIONARY to the user.
After you are done playing with these explicit grants, you may want to consider granting system roles to the users who need them (and only to those users), instead of hunting down all such exceptions.
As I understand in Oracle, one schema is only for one user and if you (granter) grant privileges to another user (grantee) to access that schema, that schema is copied to the grantee's schema while MySQL just provides access to access the database without copying.
E.g. If user1 is schema1 and if you grant privileges to user2 to access schema1. Will those tables in schema1 be copied to the schema (could be schema2) of user2. How does that work behind the scene?
And,
If I grant only select privileges to user2 to access user1.table1, Will table1 be copied to the schema of user2? Or does user2 only get access to table1 while table1 will still be in schema1?
GRANT SELECT ON user1.table1 TO user2;
Please help me understand how does oracle grant privileges works. Thank you.
that schema is copied to the grantee's schema
That's completely wrong.
The grantee only gets the privilege to access the tables in the other schema. To access the table the grantee needs to prefix the table reference with the grantor's schema:
e.g. user2 needs to run:
select *
from user1.table1;
Nothing is being copied, the query directly access the table in the other schema.
I have an oracle database with two roles assigned to the same user.
The user will connect from .Net application.
Since each role has its own privileges I would like, when using my application, only one role to be considered. So the user will choose the role to be considered when logging to the application. And the privileges related to the other role wont be "active".
for example
Role 1 can access Table A
Role 2 can access Table B
So theoretically The user can access A & B
When using my application :
Choose either 1 or 2
if 1, show only A table
if 2, show only B table
Is that possible please ?
Thank you
Use of ROLES is one way:
CREATE ROLE roleA;
CREATE ROLE roleB;
GRANT SELECT ON tableA to roleA;
GRANT SELECT ON tableB to roleB;
GRANT roleA to TheUser;
GRANT roleB to TheUser;
When the user chooses a role in your application, issue the appropriate SET ROLE command:
User chooses 1:
SET ROLE roleA;
Otherwise,
SET ROLE roleB;
Since the roles are not defaults, they will only be active via the SET ROLE command. You can password protect the roles, too.
I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).