I have two schema "OWNER" and "USER".
I've created job in "OWNER" schema in PROD and we don't have access to login into this schema. Now I want to find a way to access these jobs in "USER" schema.
Below are the methods, I tried and did not work for me:
1)I created view in "OWNER" schema (create view test_view as select * from all_scheduler_jobs) and gave a grant "GRANT SELECT OWNER.test_view to USER". But still I did not find any records in USER schema.
2)Created a view as mentioned above and after that I created synonym in USER schema( create synonym USER.test_view for OWNER.test_view.
Please let me know if there is anything that I'm missing or is there any other way that I can implement.
The ALL_SCHEDULER_JOBS view only lets you see jobs to which you already have access - essentially just your own. To see properties or output from scheduler jobs belonging to other schemas, USER must have the SELECT ANY DICTIONARY privilege, which would allow access to the DBA_SCHEDULER_JOBS view. Check with your DBA to see if you are allowed to have that privilege (it opens up access to a lot of other things, too), or if they would prefer that you have a custom role that just grants access to the various DBA_SCHEDULER_% views. Note that these views would expose all jobs for all users, not just your OWNER schema; there isn't really a way to fine-tune that.
If USER needs to execute the job in another schema, then it will need the EXECUTE ANY JOB privilege, which would allow it to run any job in any schema. There's no way to make that more fine-grained at this time, either.
You can try below SQL.
SCHEMA: OWNER
commit;
SCHEMA: USER
select * from OWNER.test_view;
Related
I was using node.js to work on snowflake datawarehouse as a destination for users. I wanted to check if a user has the required permission level on the schema to create a table and write into it before adding the user to the database otherwise it should give an error saying that the user does not have the appropriate permission level. How can I achieve that programatically?
Thanks,
one way you could do is check if the role has SEELCT privilege on the table by looking into the view TABLE_PRIVILEGES in information_schema schema.
select * from information_schema.TABLE_PRIVILEGES where table_name = 'SALES_RAW'
Due to how permissions can be inherited through the role hierarchy, this isn't easy to do. Permissions aren't assigned to users in Snowflake, they are assigned to roles. You could use the table_privileges in the information schema (as Himanshu said). You'll need to ask your admin for privileges to the information_schema schema in the databsae:
You could probably use some combination of these too:
show grants to user [username]
with
show grants on schema [schema name]
The easiest way would be to have your app / script / service assume the same role as the user and see if you can select from a table in the schema or try to create a temporary table in the schema. If you receive an error code, the user doesn't have permissions!
I have created a new view named CONS_INTERRUPTED_DATA for the main user hfdora and the view has been created successfully. But when I am trying to create the same view for another user (cis) of the same database after giving all the privileges to the user (cis) I am getting the below error,
*oms_consumer
ERROR at line 13:
ORA-00942: table or view does not exist
Both the user hfdora and cis are the part of same database and this oms_consumer table is present at the database
I have granted the following privileges for the user cis before creating the view
grant select on energization_info to cis;
grant select on trigger_info to cis;
grant select on oms_source to cis;
grant select on oms_consumer to cis;
grant connect,resource,dba to cis;
My sql query to create the view,
>CREATE OR REPLACE VIEW CONS_INTERRUPTED_DATA AS
SELECT
trigger_info_A.b1 AS FDR_RMU_OFF_B1, trigger_info_A.b2 AS FDR_RMU_OFF_B2,
trigger_info_A.B3TEXT AS FDR_RMU_OFF_B3TEXT, trigger_info_A.elem AS FDR_RMU_OFF_ELEM,
trigger_info_B.b1 AS FDR_RMU_RESTORE_B1, trigger_info_B.b2 AS FDR_RMU_RESTORE_B2,
trigger_info_B.B3TEXT AS FDR_RMU_RESTORE_B3TEXT,
trigger_info_B.elem AS FDR_RMU_RESTORE_ELEM,
oms_consumer.consumer_code, energization_info.b1 AS AFFECTED_B1,
energization_info.b2 AS AFFECTED_B2, energization_info.b3text AS AFFECTED_B3TEXT,
to_char(energization_info.deenergized_date, 'DD-MM-YYYY Hh24:MI:SS') AS DEENERGIZED_DATE,
to_char(energization_info.energized_date, 'DD-MM-YYYY Hh24:MI:SS') AS ENERGIZED_DATE,
trigger_info_A.comments AS KEY
FROM
energization_info,
trigger_info trigger_info_A,
trigger_info trigger_info_B,
oms_consumer
WHERE
(energization_info.trigger_number = trigger_info_A.trigger_number)
AND (energization_info.ENERGIZED_TRIGGER_NUMBER = trigger_info_B.trigger_number)
AND (energization_info.b1 = oms_consumer.B1NAME
AND energization_info.b2 = oms_consumer.B2NAME
AND energization_info.b3 = oms_consumer.B3NAME)
WITH READ ONLY;
The first step in diagnosing a problem when creating a view is to try the select part on its own. In this case you would still get the ORA-00942 error, but the problem is now just a query and access issue and not to do with the view specifically.
When you get ORA-00942: table or view does not exist, it's because either:
The table or view name that you typed really doesn't exist.
Check the spelling - maybe there is a typo.
Are you connected to a database where it exists? Perhaps you are on a test system that doesn't have it.
Query dba_objects to see whether the table exists in another schema. (If you don't have privileges to query dba_objects, all_objects lists everything you have permission to view, which may be some help.)
It really does exist, but it's in another schema.
In that case, there are two possible issues:
You don't have permission to query it. The table's owner needs to grant read on xyz (substitute the actual table name for xyz) to either
you
public (if you want everyone to be able to see the data, not always advisable)
a role that you have (but roles aren't used by stored PL/SQL or views, though, so it's possible that you can query a table in another schema thanks to a role that you have, but still not be able to create a view or a procedure that uses it.)
You need to specify the schema. Say you want to query the REGIONS table in HR but you are connected as SCOTT. If you just select * from regions it will look for SCOTT.REGIONS, which doesn't exist. To fix that, do one of the following:
use hr.regions explicitly in your query.
in your schema, create or replace synonym regions for hr.regions;
Now whenever you refer to regions, the database will automatically redirect to hr.regions.
in any schema with permission to create public synonyms:
create or replace public synonym regions for hr.regions;
Now everyone connecting to the database will have any references to regions redirected to hr.regions, which isn't always a good idea, but it's one option anyway.
alter session set current_schema = hr;
Now the default schema for resolving names of objects is HR and not the one you logged into. For applications that always log in as a different user than the one that owns the tables, you can create an after logon trigger so this is always set. Then they can just refer to regions etc without needing to specify any schema and without any synonyms.
My issue has been resolved. :-)
I have made the following changes,
FROM
hfdora.energization_info,
hfdora.trigger_info trigger_info_A,
hfdora.trigger_info trigger_info_B,
hfdora.oms_consumer
Now the same view is created for the user cis.
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
I'm trying to create a role to give a few users permission to create and alter views, procedures and tables.
I don't want these users to be able to select from/update/delete/alter etc. any table in the database, there are tables we want to keep control of - but they should have full permissions on any objects they create.
I've given the users permissions to create views etc. and that works fine, but they can't then select from views they then create. Is it possible to do this?
-- ADDED 25/july/2013
Example:
An example user Mike has specific permissions granted on a handful of tables. All Grant, no Deny.
No other database level permissions beyond "connect"
Plus is a member of public (not altered - no denys), plus 3 other roles we have set up
Role: Standard_Reader
Specific Select permissions on a number of tables. All Grant, no Deny.
No other database level permissions
Role: SensitiveDemographicsReader
Specific Select permissions on sensitive tables. All Grant, no Deny
Role: Analyst
No Specific securables
Database level permissions:
Create Function
Create Procedure
Create Table
Create View
This user can create a table or view, but once created, can't select from it.
Is it possible to set up SQL server so that whenever a user user creates a table or view they then have permissions to select from it (assuming they have permissions on underlying tables in view)
-- EDIT
After some investigation it has become apparent that for some reason in our database, ownership of objects is not acruing to their creators.
Found using this code
select so.name, su.name, so.crdate from sysobjects so join sysusers su on so.uid = su.uid
order by so.crdate
All owners, with a couple of exceptions are DBO.
I can't understand why ownership is not passing to the creators of objects. Any idea what could cause this?
Sounds like what you're using to deny them in the first place is overriding the default settings. Can you post more information on what permissions the users have?
Can't comment :(
I would comment but lack privileges; have you taken a look at MySQL table permissions? It's a rather good system.
you need to grant SELECT on the schema to user/group:
GRANT SELECT ON SCHEMA::dbo TO User/Group;
I am using the sql developer and so far I have a schema class ADMIN with all the tables inside it and another schema which is called TEST. I granted select on all tables for the user TEST in the SCHEMA TEST:
GRANT select on ADMIN.TABLE1 to TEST
The privilege is granted successfully, but when I connect as user TEST, I cannot see the table in the SQL Developer.
What do I have to do so this table shows up for the user TEST?
Both tables are located on the same tablespace but I think that this is irrelevant.
The table still exists in the ADMIN schema. Granting read access to TEST does not make it appear in the TEST schema. While logged in as TEST you will be able to query the table and if you navigate to the ADMIN schema you will see it there. If you really want to see it in the TEST schema you can create a SYNONYM.
If you are talking about the explorer view of the schema in SQL Developer, there should be an item called "Other Users" (maybe "Other Schemas", can't recall for sure), under which you can view objects in other schemas that your schema has access to.