I'm running a SAP HANA database in HDI container and created a corresponding HDI Container admin. I would like to be able to grant users (for support purpose) access not to the whole schema, but only to a few selected tables. How to do it? All examples I found online look like this - and grant access only to a whole schema
CREATE ROLE SCHEMA_NAME.ROLE_NAME NO GRANT TO CREATOR;
GRANT SELECT ON SCHEMA SCHEMA_NAME TO ROLE_NAME;
I know there is an option to use .hdbrole file during deployment, where also object privileges can be written up, but it seems I would have to run deployment each time whenever I need to create a new role. And I would like to create these roles right from the SQL console. Is it possible? And if yes, how to do it?
By running the CREATE ROLE and GRANT commands in the SQL console you create catalog/runtime roles.
These cannot be transported to any other container or DB but only live in this very instance of the database.
Now, that is usually not what you want to have when dealing with HDI containers or containerized applications in general.
Creating schema objects on the fly commonly leads to operational challenges (who has access to what, where, when, why, how?) and should rather be avoided.
But, sure, you can simply connect to the container with any user that has appropriate permissions and run those commands. That includes the usual GRANT SELECT on <table_name> TO <role>; it doesn't have to be the whole schema.
Related
I have only seen examples of SQL statements granting users access to one database in a Postgres cluster at a time. Is there a way to grant a non-superuser access to all databases and their tables including future databases that get created in the cluster?
Since PostgreSQL v14, this is fairly easy, and you can use the following SQL script:
-- exempt the user from row level security
ALTER ROLE seeall BYPASSRLS;
-- allow the user to read all data
GRANT read_all_data TO seeall;
If you want write access as well, there is also a predefined role pg_write_all_data.
This relies on the fact that by default, everybody has the CONNECT privilege on databases. Of course you also have to configure pg_hba.conf to allow access.
And in case you wonder: no, before v14 you have to grant access to all objects individually. Group roles help with that.
I am trying to provide DBAdmin privilege for a user on multiple databases.
I know how to do from on premises SQL database, I can directly map the user to required databases.
Can anyone let me know how to do it in Azure managed instance. Since the added user is external user, can,t see it in the Logins to map the user.
I have like 100 databases on which the user should have db admin right. Is there a easiest way to do that?
You can use an Azure Active Directory Login
eg
CREATE LOGIN [someuser#somecompany.onmicrosoft.com] FROM EXTERNAL PROVIDER
then create users mapped to this login in the appropriate databases, or make this login a sysadmin. Not sure if this shows up in SSMS, as it was added relatively recently. So you may have to create the users and grant them permissions in the target databases in TSQL, as per: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-aad-security-tutorial
I would like to create a user account in SQL Server 2012 with limited access, i.e., he should be only able to run queries and view data and nothing else. No backups, restores, user modifications should be allowed.
I tried looking at the built in server roles, but could not really understand it too well. The Server consists of some 7-8 different databases and we would like this user to have only querying access across all databases and nothing more. Would be great if somebody could guide me as to how to implement it.
Regards
Saurabh
Simple create role and grant access to needed objects with command GRANT. Example:
GRANT SELECT ON TABLE1 TO ROLE_ONLY_VIEW_FOR_EXAMPLE
Then you can assign this role to any user you want.
I have a database on SQL Server 2008 R2 that has two schemas, the default dbo and another one called Webapps, and both schemas are owned by dbo.
I created a view in the Webapps schema (Webapps.getInventory) that just does a simple select from dbo.Inventory. Then I created a user called Webuser that has SELECT permission to the Webapps schema.
Webuser can login and see the Webapps.getInventory view, but when it tries to select from it this error comes up:
The SELECT permission was denied on the object 'Inventory', database 'Database', schema 'dbo'.
I was thinking that since both schemas are owned by dbo, ownership chaining would allow the query to execute. The only way I seem to be able to get it to work is give Webuser permissions on dbo, or add it to the db_datareader role for the whole database. To me that seems to defeat the purpose of trying to separate things out into the Webapps schema if the user has to have read ability to everything else in the database.
So, am I overlooking something in my setup? Or is it correct that Webuser must have permission on both schemas in order for this view to work?
Eric I think you are "jumping" over a step in the ownership chain...
Have (another) look at this article: Ownership Chains Here is a snippet "Ownership chaining enables managing access to multiple objects, such as multiple tables, by setting permissions on one object, such as a view."
The chaining doesn't care that both schemas are owned by dbo, but rather that each login/user has appropriate permissions on object. So if you have a table owned by dbo that is included in a view where you have given select access to the webapps schema, then the users with access should have access to the table. The ownership chain isn't checked deeper than the fact that they can select against the view, no need to evaluate if they can select against the table.
So long story short, if you wrap the dbo.table in a view where webapps has select permissions then you should be good.
Hope that helps...
Another reason that cross-schema ownership chaining may break is if the schema owners were recently changed, e.g. setting them to the same owner specifically in order to use ownership chaining. You may need to drop and recreate the views (and add the permissions back) before it will work.
SQL Server caches various properties of views, and I saw a case where this caching appeared to be causing SQL Server to not realize that an object accessed by the view actually did have the same owner at that point. It gave a "permission denied" error on the object accessed by the view. Dropping and recreating the view fixed the problem. Rebooting the database server might have also fixed it, but that was not an option at the time.
SQL Server also allows individual objects to have specific owners different from the schema owner, and I confirmed that neither the view nor the accessed object had a separate owner set. I saw this in SQL Server 2012. Not sure if it's been fixed in newer versions.
I am new to schema, roles and user management part in sql server. Till now I used to work with simple dbo schema but now after reading few articles I am intrested in creating schema for managing my tables in a folder fashion.
At present, I want to create a schema where i want to keep my tables that have same kind of functionality. When I tries to create a schema then I faces a problem while using query, permissions etc.
First of all i want to get used to of using schemas then only I want to explore it. But due to initial stages and work pressure as well i m not able to implement it yet.
What can i do to start using schema with default permissions as that of dbo.
Also let me know about creating roles and assigning roles on these schema. I want all this to be accessible by sa user itself at present.
What is the concept behind all these things
Basically
The schema has an owner
Objects in different schemas can access each other with no extra permissions if they have the same owner
Please see my question here: "SQL Server: How to permission schemas?" and RBarryYoung's enlightening answer...