I have created a view in Database A that looks at tables in Database B that the users in Database A do not have access to (HR Data).
Is there a way I can grant anybody calling the view in Database A permissions to see the results, without giving access to the underlying tables?
Both databases are on the same instance, SQL Server 2019
You can just
GRANT SELECT ON OBJECT::[schema].[theView] TO User1,User2
in your Database A? This way you'd just give SELECT permissions to the view itself, and not the tables.
If you have a lot of cases like this, you can also consider creating a special schema for this and do:
GRANT select ON Schema :: [DBO] TO User1
instead.
Related
I have administrative problem on my database.
I need to give permission to other schema to my View. My View have data from one table and view. This Second view is using private database link.
How can i grant select on that View, to other schema and in the same time grant view that is using database link?
While trying making simple
grant select on myView to otherSchema;
i have error ORA-02021: DDL operations are not allowed on a remote database
DDL operations of any kind, such as grants, are not allowed to be executed through a database link. You need to connect to the remote database where the source objects are located, and grant select on them to the user/schema who connects by dblink. As you don't provide any code, consider the option that you might need to use grant select on xxxx with grant option.
I’m pulling data from mysql ec2 instances, to s3 buckets, then creating views in redshift. I want to create database users who can only query and see certain views created specifically for them in Redshift. I have example code below that I use to create the user, view, and grant access. The issue I have is that I also have to grant access to the underlying schema the view is created from, which means the user can see and query tables in that schema. Also the user can see other schemas in the database, even ones they can’t query. Is there a way to only grant users to specific views, and make it so they can’t see other schemas they don’t have access to?
Code:
--create schema
create schema tst_user_schema;
--create view in schema
create view tst_user_schema.inventory_report_customer as (
select * from user341.inventory_report_customer
)
with no schema binding;
--creating user
CREATE USER tstuser PASSWORD 'tstPassword';
--grant access
GRANT USAGE ON SCHEMA tst_user_schema TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA tst_user_schema TO tstuser;
--grant access
GRANT USAGE ON SCHEMA user341 TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA user341 TO tstuser;
--grant access
GRANT USAGE ON SCHEMA tst_user_schema TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA tst_user_schema TO tstuser;
to recap:
schema user341 - contains source tables, user should not be able to select from tables in this schema. You also want to hide it form the user
tst_user_schema - contains views user is supposed to be able to select from.
Looking at your GRANT statements, you're granting user unnecessarily SELECT permission on ALL TABLES IN SCHEMA user341. For views to work you only need to GRANT USAGE on that schema.
So REVOKE those permissions, and user should not be able to select.
REVOKE SELECT ON ALL TABLES IN SCHEMA user341 FROM tstuser;
Tip: to easily test permissions, you can start a session as tstuser using SET SESSION AUTHORIZATION directive and then test which statements are allowed and which not.
SET SESSION AUTHORIZATION tstuser
Regarding schema visibility - unfortunately there's no way to hide or forbid user from seening all tables and columns in all schemas. One can only restrict access to data.
I have access to a schema (my_schema) on a read-only database, and on that database there's another schema that contains the data I need. I can connect directly to my_schema and query other_schema.table_name without a problem.
I have another database on another_server and I would like to access other_schema.table_name via a database link.
I can create a dblink (db_link) from my local DB (another_server) to my_schema, but I don't know how to refer to objects in other_schema if it's even possible.
Ideally I could create a view in my_schema that hides the owner of the table: create view table_name_v as select * from other_schema.table_name. Unfortunately, the DBA tells me it's a read-only database and they can't create views or even synonyms over there.
Is it at all possible for me to access the other_schema.table_name across the DB link? Something like this:
sqlplus> select * from other_schema.table_name#db_link;
I have a scenario where I need to allow a user in one database access to objects in another database on the SAME SQL server.
SQL SERVER SETUP:
I have an SQL Server 2008 Express instance running.
Within that instance I have the following :
2 databases :
DATABASE1
DATABASE2
2 logins :
ADMIN1
ADMIN2
DATABASE1 has a user (USER1) created on ADMIN1 and has permissions on SELECT, UPDATE, DELETE, INSERT and GRANT EXECUTE on stored procedures in DATABASE1
DATABASE2 has a user (USER2) created on ADMIN2 and has permissions on SELECT, UPDATE, DELETE, INSERT and GRANT EXECUTE on stored procedures in DATABASE2
QUESTION :
What I require is to allow 'USER1' SELECT/EXECUTE permission to tables and stored procedures in DATABASE2
I have tried a few snippets of SQL from a few posts but I have no idea how to write the SQL.
I also tried doing it manually in the way of ticking checkboxes for permissions by right clicking the user and logins in Management Studio but
I need SQL to execute in my scripts.
THE REASON FOR MY QUESTION
I have tables in DATABASE1 and DATABASE2 which are related but obviously we cant create Foreign Key constraints across different databases.
The best way we have thought to handle the relationship between the 2 tables is to create a stored procedure in DATABASE1 to query the
relevant table in DATABASE2 and return a result.
Apologies for not being able to post any examples as I cannot find any examples out there through my searches which match the scenario I have described above.
If I can give any further information please let me know.
Many thanks
Kev
As long as your user is defined at the instance level, you can grant them whatever rights they need in each database. Create your users under the master, and then add them as users of each database granting them whatever rights are needed per the specific DB.
EDITED with more detail (based on comments):
First, you need to create a Database Login. This is a login that can then be added as a user to one or more databases on your instance.
Details Here (including SQL syntax): http://technet.microsoft.com/en-us/library/ms189751.aspx
Second, you need to provision the user in the database (Database1, Database2, etc...). You will want to have these users added identically to each of these product databases that gets installed. As long as the user is there, you will be able to query across the various DBs on your instance.
Details Here (Including SQL): http://technet.microsoft.com/en-us/library/aa337545.aspx
Good Luck!
I want to execute a query that selects data from a different schema than the one specified in the DB connection (same Oracle server, same database, different schema)
I have an python app talking to an Oracle server. It opens a connection to database (server/schema) A, and executes select queries to tables inside that database.
I've tried the following :
select ....
from pct.pi_int, pct.pi_ma, pct.pi_es
where ...
But I get:
ORA-00942: table or view does not exist
I've also tried surrounding the schema name with brackets:
from [PCT].pi_int, [PCT].pi_ma, [PCAT].pi_es
I get:
ORA-00903: invalid table name
The queries are executed using the cx_Oracle python module from inside a Django app.
Can this be done or should I make a new db connection?
Does the user that you are using to connect to the database (user A in this example) have SELECT access on the objects in the PCT schema? Assuming that A does not have this access, you would get the "table or view does not exist" error.
Most likely, you need your DBA to grant user A access to whatever tables in the PCT schema that you need. Something like
GRANT SELECT ON pct.pi_int
TO a;
Once that is done, you should be able to refer to the objects in the PCT schema using the syntax pct.pi_int as you demonstrated initially in your question. The bracket syntax approach will not work.
In addition to grants, you can try creating synonyms. It will avoid the need for specifying the table owner schema every time.
From the connecting schema:
CREATE SYNONYM pi_int FOR pct.pi_int;
Then you can query pi_int as:
SELECT * FROM pi_int;
Depending on the schema/account you are using to connect to the database, I would suspect you are missing a grant to the account you are using to connect to the database.
Connect as PCT account in the database, then grant the account you are using select access for the table.
grant select on pi_int to Account_used_to_connect