We have a azure based SQL Server instance that we are wanting to create a user who would only have SELECT access to two tables on a database that has many more tables. Is this possible? If so is there a guide I can follow to accomplish this?
Restrict user to certain tables in SQL
You can use the SQL GRANT statement to grant SQL SELECT, and other privileges on tables.
CREATE USER demouser
WITH PASSWORD = 'demopa#ssword1234';
GRANT SELECT ON dbo.student TO demouser
GRANT SELECT ON dbo.Airlines TO demouser
execute as user = 'demouser'
select * from student
select * from Airlines
REVERT;
Execution
Granted SELECT permission to user demouser on Airlines and student table.
demouser user has no access to mydata table
Related
As you can see in picture I am connecting to my database as SYS with the SYSDBA below
The filtered tables shown in the picture 2 seems are system tables, right, as all tables names are ended with $?
I am wondering why SYS does not have permission to view the tables we created e.g filetable (as shown in the picture above). Is it because this ID does not have permission to select all tables? If yes, how can I allow the ID have permission to view all tables, including filetable?
Does this SYS account have FULL privileges in the database or not? I tried to use the below command to grant privileges to user but that didn't work, getting the error shown:
SQL> grant SELECT on filetable to user
grant SELECT on filetable to user
*
ERROR at line 1:
ORA-00942: table or view does not exist
What I need to do is create a user and grant select permission on all tables to this user.
What I need to do ?
Simple run
select owner, table_name from dba_tables where table_name= 'FILETABLE';
or fallback to query below if it is not a table, but a view or a materialized view
select owner, object_name, object_type from dba_objects where object_name= 'FILETABLE';
than take what you see in the column owner and query with (substitue [owner] with the owner you see) - if the query above return no rows the object does not exists.
select * from [owner].FILETABLE
I do not understand how the user, who is logged into SSMS with SQL Server authentication, is able to select rows from MyTable, when
MyTable
-> Properties
->Permissions
in SSMS is blank. The user has had SELECT permission REVOKED.
I have restricted select access at table level for 1 single table 'A'in sql server(2016).
But users are able to access views which are created top of that table 'A'.
when users run select statement on table 'A'(select * from table 'A')users are getting 'select permission is denied on object table 'A' ' message.
when users run select statement on view (select * from view 'A') users are able to access all data.
Users are able to create new views by writing select statement on table 'A'.
How can i restrict users to access table 'A' from views as well.
This is expected behavior due to ownership chaining. Permissions on tables referenced by the view are not checked as long as the view and tables have the same owner (AUTHORIZATION).
To break the ownership chain, you could either move the table to a different schema (owned by a different user than the view schema) or change to owner of the table. Examples below.
--move table to different schema
CREATE USER RestricedTablesOwner WITHOUT LOGIN;
GO
CREATE SCHEMA RestricedTables AUTHORIZATION RestricedTablesOwner;
GO
ALTER SCHEMA RestricedTables TRANSFER dbo.A;
GO
--change table to different owner, retaining same schema
ALTER AUTHORIZATION ON OBJECT::dbo.A TO RestricedTablesOwner;
The users listed in the DBA_USERS table do not match the grantees listed in the DBA_TAB_PRIVS table.
So how to I get the privileges for users that are only listed in the DBA_USERS table?
For example, if I do
SELECT USERNAME FROM DBA_USERS;
Then I get a list of login names, such as
USERNAME
--------
BOB17
DBA
JANET5
STEVE34
SYSTEM
And now I want to know what roles and privileges the 'STEVE34' user has.
But when I run the queries suggested online:
SELECT * FROM DBA_SYS_PRIVS;
SELECT * FROM DBA_TAB_PRIVS;
SELECT * FROM DBA_ROLE_PRIVS;
The "Grantee" column does not contain 'BOB17', 'JANET5', 'STEVE34', instead it contains 'SYSTEM', 'PUBLIC', and 'DBA'.
So if 'STEVE34' is not in the Grantee column of any of the PRIVS tables, how do I find out what privileges the user 'STEVE34' has?
The question How to find the privileges and roles granted to a user in Oracle? has 8 answers, none of which solve this question.
I need to know what permissions and roles the users listed in DBA_USERS have, and those users are NOT found in the suggested tables from the linked question.
Further clarification:
If I run this query:
Select USERNAME, GRANTEE from dba_users u
LEFT JOIN dba_tab_privs p
ON u.USERNAME = p.GRANTEE
order by username
This is the result:
USERNAME GRANTEE
-------- -------
BOB17 (null)
DBA DBA
DBA DBA
DBA DBA
DBA DBA
JANET5 (null)
STEVE34 (null)
SYSTEM SYSTEM
SYSTEM SYSTEM
SYSTEM SYSTEM
How can I determine the privileges for users that are not in the DBA_TAB_PRIVS table?
I am absolutely certain that the users do exist and have some kind of privileges, I watched them log in and watched them successfully do SELECT queries.
I may be going on a limb here, but I could not help but notice the sample list of users is in lower case. If you copied and pasted the list (as opposed to incidentally typing the names in lower-case) it means those users were created using double quotes. You can only find them in any Oracle dictionary view (such as dba_users, dba_tab_privs, dba_sys_privs, dba_role_privs) if you take into account that fact. Double quoted lower case is different from non-quoted username.
Whenever a grant, revoke, create table or any other DDL must be run against the lower-case double-quoted "steve34", it needs to be double quoted or Oracle will run it against the unquoted version case-insensitive STEVE34.
Same applies to where clause in SQL on dictionary views. Double-quoted "steve34" becomes case sensitive.
Note in the example below I can create 2 users with apparently the same name, but which are different Oracle users.
FSITJA#db01> create user "steve34" identified by 123;
User created.
FSITJA#db01> create user steve34 identified by 123;
User created.
FSITJA#db01> grant create session to steve34;
Grant succeeded.
FSITJA#db01> select username from dba_users u where upper(u.username) = 'STEVE34';
USERNAME
------------------------------
steve34
STEVE34
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'STEVE34';
GRANTEE PRIVILEGE ADM COM
------- ---------------------------------------- --- ---
STEVE34 CREATE SESSION NO NO
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'steve34';
no rows selected
FSITJA#dbd01 2019-07-31 17:18:00> grant create session to "steve34" with admin option;
Grant succeeded.
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'steve34';
GRANTEE PRIVILEGE ADM COM
------- ---------------------------------------- --- ---
steve34 CREATE SESSION YES NO
I just created two tables and they are named as tblA and tblB. I also created a user(Security/Login) who will be used for a remote insert/update.
What is the best way to permit this user to access for only those two table out of 50 table. I have tried look for the way from (Security/Login) and (Database/Properties). Can I limit it from user account level?
Use a 'grant' statement:
grant select on tblA to the_user_name
grant insert on tblA to the_user_name
grant update on tblA to the_user_name