Its a newbie question but still I am trying to grant create user permission to sysadmin role from the accountAdmin role so that I can create users in the sysadmin role.
The statement I am trying to execute is:
grant create user to role sysadmin;
Error
SQL compilation error: syntax error line 1 at position 18 unexpected 'to'.
What's the exact statement to achieve this?
I tried googling but haven't found any exact query statement in a long time, so posting it here.
Grant create user on account to role role_name ;
Please note that this statement has to be submitted as an ACCOUNTADMIN
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html
You could also choose to use the WITH GRANT OPTION which allows the grantee to regrant the role to other users.
Grant create user on account to role role_name WITH GRANT OPTION;
Related
I have a client with a head-office, and various field offices.
I would like to grant a couple of head office people, who are SQL Azure contained users, the permission be become an "admin-lite". Specifically, I want them to be able to be able to create users, and make them in/active (with GRANT or REVOKE CONNECT).
I'd also like them to be able to assign other people to this same "admin-lite" role - they can then nominate one person in each branch who can create and manage their own users (there's quite a high turnover of staff).
The way I've made the first of the Head Office "admin-lites" is by making them a member of these two roles:
db_accessadmin - so they can create new users and issue GRANT or REVOKE CONNECT statements
db_securityadmin - so they can assign the new user to the appropriate role
Incidentally, they only need to be able to assign standard users to is a custom role, not a built-in role.
However, I've been able to make the first of these Head Office "admin-lites" because I'm a member of db_owners. As mentioned, I'd like them to be able to the same for their field offices - but I don't want to make the Head Office admin a member of db_owners, because this also gives them permission to make anyone else a db_owner too.
So, the question is, can I create a custom role with the permission to add people to db_accessadmin and db_securityadmin without them being a db_owner? Can I create a custom role with the same permissions as db_accessadmin and db_security admin that makes this easier, perhaps?
Thanks
If I am not wrong, you want to create a role which mimics the same functionality as db_accessadmin + db_securityadmin combined, but at the same time you do not want the members to be a member of db_owner.
Here is a role called FieldOfficeAdmin that does the same.
CREATE ROLE FieldOfficeAdmin
/* db_accessadmin permissions */
GRANT CONNECT to FieldOfficeAdmin ;
GRANT ALTER ANY USER to FieldOfficeAdmin ;
/* db_securityadmin permissions */
GRANT CREATE SCHEMA to FieldOfficeAdmin ;
GRANT ALTER ANY ROLE to FieldOfficeAdmin ;
GRANT CREATE ROLE to FieldOfficeAdmin ;
GRANT ALTER ANY APPLICATION ROLE to FieldOfficeAdmin ;
GRANT VIEW DEFINITION to FieldOfficeAdmin ;
Add any user(s) to this role, they will further be able to create more users and add them as members to the same role
CREATE USER fieldofficeadmin1 WITH PASSWORD = 'enterStrongPassword#1234';
GO
ALTER ROLE FieldOfficeAdmin ADD MEMBER fieldofficeadmin1
When you login as fieldofficeadmin1, you will be able to create more users and add them to the role
CREATE USER fieldofficeadmin2 WITH PASSWORD = 'enterStrongPassword#1234';
GO
ALTER ROLE FieldOfficeAdmin ADD MEMBER fieldofficeadmin2
But when you login as fieldofficeadmin1 and try to add a member to db_owner
ALTER ROLE db_owner ADD MEMBER FieldOfficeAdmin2
It should fail with the below error
Failed to execute query. Error: Cannot add the principal 'FieldOfficeAdmin2', because it does not exist or you do not have permission.
Please let me know if you have any further questions or if I interpreted your requirement incorrectly.
I've created a role called CATDX_OWNER_RPT_RL and granted SELECT privileges on all tables within the schema. I've created a new user and granted both CONNECT, CREATE SESSION. Now I would like to assign the role I created to the new user with the following syntax - GRANT ROLE CATDX_OWNER_RPT_RL TO USER. It returns this error SQL Error: ORA-00990: missing or invalid privilege
00990. 00000 - "missing or invalid privilege"
Reinventing the wheel? Omit ROLE.
GRANT CATDX_OWNER_RPT_RL TO NEW_USER;
I'm writing some database creation scripts using H2 database but can't grant the roles I create. My script is:
create user MY_READWRITEUSER password 'MY_READWRITEUSER';
create user MY_OWNER password 'MY_OWNER' admin ;
create schema MY_OWNER AUTHORIZATION MY_OWNER;
set schema MY_OWNER;
create role MY_READ_ROLE;
create role MY_RW_ROLE;
grant role MY_RW_ROLE to MY_OWNER;
grant role MY_RW_ROLE to MY_READWRITEUSER;
grant role MY_READ_ROLE to MY_READUSER;
but when I hit the grant role lines H2 complains:
[Error Code: 42001, SQL State: 42001] Syntax error in SQL statement "GRANT ROLE MY_RW_ROLE[*] TO MY_OWNER "; expected ",, TO"; SQL statement:
I don't see any syntax error - what am I doing wrong?
H2 version 1.4.191
Often the case - if I ask on SO I figure out the answer myself minutes later.
There is a syntax error. This:
grant role MY_RW_ROLE to MY_OWNER;
should say this:
grant MY_RW_ROLE to MY_OWNER;
Fast :
GRANT SELECT ON SYSTEM.* TO appadmin;
I want to grant AppAdmin the rights of SELECT on all tables of the database
I'm using Oracle SQL, why does my statement not work ?
Using the ANY keyword in reference to a system privilege means that the user can perform the privilege on any objects owned by any user except for SYS. By default, if you are granted a privilege, you cannot assign your privilege to others. You cannot grant or revoke that privilege to or from anyone else.
Sometimes you want to grant privileges to users and have them be able to grant those privileges to other users. When this is the case, we include the with admin keyword in the grant command. When this keyword is used, it will allow the user granted the privilege to grant that privilege to other users.
Here is an example of the usage of the with admin option keyword.
GRANT SELECT ANY TABLE TO User;
GRANT SELECT ANY TABLE TO YOUR_USER;
okay , This command is not working
create user username identified by password with admin option ;
It throws an error which says missing or invalid option
And i am logged in as system . I have tried searching Oracle docs and they have written the same command . what i am doing wrong here ?
You need to first create the user;
CREATE USER username IDENTIFIED BY password;
then separately grant privileges with ADMIN OPTION;
GRANT dba TO username WITH ADMIN OPTION;
"ADMIN OPTION" is a part of "GRANT" statement. You can't use it with "CREATE USER".
you don't need to give admin option if you are giving user DBA privilege ,DBA is the administrator
Also you can combine both statements Creation of user with Grant privilege:
create user username
identified by password
grant DBA to username;
Note:Correct me if I am wrong.☺