I think I'm missing something when it comes to grant alter table. I'm looking at the AWS docs
https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html
And they say I can grant alter table to a role. I've tried running grant alter table to user but that gives me SQL Error [0LP01]: ERROR: Grant/Revoke system privilege on User is not supported.. So, I'm confused on what exactly a role in redshift is and how it works. Using rows, could I grant a group of people alter table permissions on a single schema?
I think you are being crossed up by the fact the GRANT ALTER is for external datalake objects only. It has to do with modifying the external datastore and isn't meant for normal Redshift tables.
If memory serves the ability to ALTER a normal table is linked with DROP permission. Otherwise it is linked to table ownership.
You can grant "ALTER TABLE" in this way.
create role testingaltertablerole;
create user testingaltertableuser with password disable;
grant alter table to role testingaltertablerole;
grant role testingaltertablerole to testingaltertableuser;
At the moment, there's no way to grant this permission for a single table, AFAIK.
Related
When I attempt to drop an external table in Azure Synapse SQL Pool I get the folloiwng error:
Cannot drop the EXTERNAL TABLE 'TableName', because it does not exist or you do not have permission.
I am accessing Synapse SQL Server via SSMS.
Can someone let me know how elevate my permissions to drop an external table please.
Theis error generally cause two reasons one is you are table might not present in that particular data baser or the user with which you are querying that table has not have proper privileges.
To Drop Any external table, you need below three major permissions like Alter any schema, alter any external data source and alter any external file format as #Jon suggested.
GRANT ALTER ANY SCHEMA to {user};
GRANT ALTER ANY EXTERNAL DATA SOURCE to {user};
GRANT ALTER ANY EXTERNAL FILE FORMAT to {user};
And also db_exporter server role is there which grant all this permission to you user.
ALTER SERVER ROLE db_exporter ADD MEMBER {user} ;
Also make sure you are using appropriate database to be querying your table where it is present.
And also make sure there is no DENY permission on your user
I need to create 3 users with different DML, DDL, DQL on newly created clean Database in PostgreSQL.
DML should have SELECT, UPDATE, DELETE
DDL should have CREATE, DROP, ALTER, TRUNCATE, INSERT
DQL should have SELECT
all of this in standard scheme public.
Important is that user inherit right on newly created tables by DDL user.
users ref: https://www.geeksforgeeks.org/sql-ddl-dql-dml-dcl-tcl-commands/
I did some coding but I'm pretty new in PostgreSQL and it didn't work :(
The main problem was that I cannot perform GRANT or REVOKE on CREATE, DROP, ALTER, TRUNCATE :(
Can someone help please?
Maybe you have something similar already prepared?
The setup you want, can be done to some extent. However these privileges are controlled on schema level, not on database level.
Assuming you have a schema app_schema for which this should be defined, you can do the following:
First create the users:
create user ddl with password '***';
create user dml with password '***';
create user dql with password '***';
Then create the schema:
create schema app_schema;
Then allow the ddl user to create objects:
grant create,usage on schema app_schema to ddl;
Then change the default privileges on the schema, so that every table (or view, or sequence ...) created by the ddl user is accessible by the dml and dql users:
alter default privileges
for role ddl
grant select,update,delete on tables
to dml;
alter default privileges
for role ddl
grant select on tables
to dql;
This will affect all future tables created in the schema by the user ddl.
The owner of the tables automatically has the privileges to INSERT,UPDATE,DELETE or TRUNCATE the tables.
I have never tried this, but it seems possible to revoke the UPDATE and SELECT privileges:
alter default privileges
for role ddl
in schema app_schema
revoke update,select,delete on tables
from ddl;
If there are already tables in the schema, you need to grant the desired privileges for them:
grant select,insert,update,delete on all tables
in schema app_schema
to dml;
grant select on all tables
in schema app_schema
to dql;
I have an application schema U32_C5 and another schema MIG_SRC which has some tables and then we have a ROLE RO_ROLE on which we have some grants of tables from Schema U32_C5.
The RO_ROLE is assigned to another Schema MRGO_RO which is Read Only.
Here I need to grant select on tables from MIG_SRC to MRGO_RO catch here is that the process which and from where I can include these grants is run from application schema U32_C5 in production so when I tried to to something like below it says table or view does not exists (which seems to be obvious)
execute Grant from U32_C5
grant select on MIG_SRC.MOBILE_CELLPHONE_PAIRINGS to MRGO_RO;
Another way which I think of is creating DB link on MRGO_RO for MIG_SRC Schema but it enables read/write operation as well on MIG_SRC tables which is not allowed on production.
DB Links is present on U32_C5 Schema for MIG_SRC Schema
So looking for a way to accomplish above task without creating DB Link any suggestion is welcome.
Sample Script of requirement what I want to achieve Please Remember I cannot and do not want Login to MIG_SRC and only way I am looking for is to do it by using U32_C5 and without DBA HELP
A RO ROLE Created by DBA's
Create role RO_ROLE;
/* Create application schema, table inside it and grant select on it to RO_ROLE*/
CREATE USER U32_C5 IDENTIFIED BY U32_C5 DEFAULT TABLESPACE;
GRANT ALTER SESSION TO U32_C5;
GRANT CREATE SESSION TO U32_C5;
GRANT CREATE database link TO U32_C5;
GRANT CREATE table TO U32_C5;
create table U32_C5_test_tab (id number);
grant select on U32_c5.U32_C5_Test_tab to RO_ROLE;
/* Create Read Only schema, grant RO_ROLE to it */
CREATE USER mrgo_ro IDENTIFIED BY mrgo_ro DEFAULT TABLESPACE;
GRANT ALTER SESSION TO mrgo_ro;
GRANT CREATE SESSION TO mrgo_ro;
grant ro_role to mrgo_ro;
/* Create SRC schema, table inside it */
CREATE USER MIG_SRC IDENTIFIED BY MIG_SRC DEFAULT TABLESPACE;
GRANT ALTER SESSION TO MIG_SRC;
GRANT CREATE SESSION TO MIG_SRC;
GRANT CREATE database link TO MIG_SRC;
GRANT CREATE table TO MIG_SRC;
create table mig_src_test_tab (id number);
/* login to Apllication Schema U32_C5 */
sqlplus U32_C5/U32_C5#SID
grant select on mig_src.mig_src_test_tab to mrgo_ro; -- for me it gives error here at this step table or does not exist
/* login to Read Only Schema mrgo_ro */
sqlplus mrgo_ro/mrgo_ro#SID
select * from mig_src.mig_src_test_tab;
or
select * from mig_src_test_tab;
If I understood you correctly, then WITH GRANT OPTION is what you're missing.
Once someone (A) grants privileges on their own objects to someone else (B), and that (B) has to "forward" those privileges to (C), then it is the WITH GRANT OPTION that helps.
Documentation says:
Specify WITH GRANT OPTION to enable the grantee to grant the object privileges to other users and roles.
Restriction on Granting WITH GRANT OPTION You can specify WITH GRANT OPTION only when granting to a user or to PUBLIC, not when granting to a role.
It means that you should grant privileges directly, not via role. That fact doesn't have to be a drawback because of named PL/SQL procedures, where privileges acquired via roles won't work anyway, so you might end up in direct grants anyway.
Other option - which you might consider - is related to what you said:
when I tried to to something like below it says table or view does not exists
If you created a synonym for those tables, then you wouldn't get such an error.
Database link isn't an option, as you said - by using it, you have full access (as you have to know username/password to create the DB link, and that isn't really read only access).
I get this error my when i'm selecting from an mview i created.
select * from mview_age_stats
This mview definition is using an external schema in its definition with the external schema "ext". I tried everything i could find online and gave permission at schema, table and every other level
ALTER DEFAULT PRIVILEGES IN SCHEMA ext GRANT SELECT ON TABLES TO my_user;
GRANT USAGE ON SCHEMA ext to my_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA ext TO my_user;
GRANT SELECT ON ALL TABLES IN SCHEMA ext TO my_user;
my_user is also in couple different groups, i gave the same permissions to each group and also more like this;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_only_group;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_write_only;
None of these worked, however what I noticed is that is i have a statement in my mview definition for transferring the ownership to a superuser - which my company uses in order keep ownership of all tables. If i remove the ownership it magically works but i don't understand how moving the ownership would make a difference since i'm granting permission to my_user anyway
alter table mview_age_stats
owner to main_user;
I am managing a database that has a number of schemas. I am having some difficulty with setting privileges and would like to request some help.
I have the schema called schemaA and a group_role db_writer
I use the following sql:
GRANT USAGE ON SCHEMA schemaA TO db_writer;
GRANT UPDATE, INSERT, SELECT, DELETE ON ALL TABLES IN SCHEMA schemaA TO db_writer;
However, the db_writer is unable to create views. They are returned with a permission denied error. Also, when I create views, she is then unable to select them...and I have to set the priviliges again for that view.
It was my understanding the views were treated as tables with respect to privileges...and if one is granted certain permissions to all tables in a schema this would apply to views also.
What am I missing? Any advice appreciated.
The problem is USAGE does not allow users to create objects within the database.
Try
GRANT USAGE, CREATE ON SCHEMA schemaA TO db_writer
Edit:
New objects will get default privileges, for the user to have those privileges for objects created in the future you can do it as:
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT UPDATE, INSERT, SELECT, DELETE ON TABLES TO db_writer;
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT SELECT ON TABLES TO db_reader;
Check this answer for more info