I'm trying to do a test to prove the privileges of the users. I have one user with just one privilege (execute programs) but when I try this, this user can alter table:
SHOW USER;
CONNECT USER1/USER1;
CREATE TABLE TEST_TABLE (colum int); //Insufficient privileges
SHOW USER;
ALTER TABLE TABLE_TESTING ADD TESTING varchar(255);
So, I'm getting insufficient privileges on create table but when I do ALTER TABLE the user can do it and I don't know why because I select only the privilege of execute programs
This is how I see it: follow the example.
As a privileged user (SYS in my XE database), I'll create user and grant only two privileges: create session (so that user could connect to the database) and create table (so that it can create tables):
SQL> show user
USER is "SYS"
SQL>
SQL> create user timer identified by timer
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create table to timer;
Grant succeeded.
Connecting as newly created user and creating a simple table:
SQL> connect timer/timer
Connected.
SQL> create table test (id number);
Table created.
Back to SYS: this time, revoking create table privilege:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> revoke create table from timer;
Revoke succeeded.
Back to timer: creating table won't succeed (as I don't have that privilege any more):
SQL> connect timer/timer
Connected.
SQL> create table test_table (colum int);
create table test_table (colum int)
*
ERROR at line 1:
ORA-01031: insufficient privileges
But, I can still alter previously created tables. Why? Because I own them and I can do whatever I want with them:
SQL> alter table test add testing varchar2(20);
Table altered.
I suggest you talk to your DBA to see what's really going on.
That might be because the user has the rights to execute which means he's able to alter tables by executing code, but he is not allowed to create new tables explicitly. See: https://docs.oracle.com/cd/B19306_01/network.102/b14266/authoriz.htm#DBSEG5000
Related
I need to grant permission to a specific user to create stored procedures in PostgreSQL without writing permissions to other tables. The stored procedure should read and write only in one table.
I've already setup the read permission to that table, but I'm struggling with the writting permissions.
GRANT CONNECT ON DATABASE production_database TO user;
GRANT USAGE ON SCHEMA public TO user;
GRANT SELECT ON table TO user;
If you want to write a procedure in PL/PGSQL you need to use PostgreSQL 11 or 12.
In PostgreSQL there is no explicit privilege to create a procedure or a function.
However you can try:
to create a specific schema just for the procedure
to grant USAGE to this schema only to the specific user
to create the procedure with SECURITY DEFINER as the table owner
Example:
create user myuser password 'myuser';
--
create table public.t(x int);
--
create schema myschema;
--
create or replace procedure myschema.myproc(param int)
language plpgsql
as
$$
declare
v int;
begin
insert into public.t values(param);
end;
$$
security definer
set search_path='';
--
grant usage on schema myschema to myuser;
Here the table owner is superuser postgres and the table schema is public:
With this script:
\c postgres myuser
select * from t;
call myschema.myproc(1);
\c postgres postgres
select * from t;
I get:
You are now connected to database "postgres" as user "myuser".
select * from t;
psql:cp.sql:25: ERROR: permission denied for table t
call myschema.myproc(1);
CALL
You are now connected to database "postgres" as user "postgres".
select * from t;
x
---
1
(1 row)
BBMA.SALES_BKP TABLE IS THERE IN BBMP SCHEMA(user)
I WANT TO ACCESS "SALES_BKP TABLE" through DUMMY(its different user)
Here's how.
SQL> create user dummy identified by dummy
2 default tablespace user_data
3 temporary tablespace temp
4 quota unlimited on user_data;
User created.
SQL> grant create session, create table to dummy;
Grant succeeded.
SQL> create user bbma identified by bbma
2 default tablespace user_data
3 temporary tablespace temp
4 quota unlimited on user_data;
User created.
SQL> grant create session to bbma;
Grant succeeded.
Now, create table and let another user select from it.
SQL> connect dummy/dummy#orcl
Connected.
SQL> create table sales_bkp(id number, value number);
Table created.
SQL> insert into sales_bkp values (1, 100);
1 row created.
SQL> grant select on sales_bkp to bbma; --> this
Grant succeeded.
SQL> connect bbma/bbma#orcl
Connected.
SQL> select * from dummy.sales_bkp; --> note owner name
ID VALUE
---------- ----------
1 100
SQL>
How can I create correct roles-tree for postgresql database for users which can do this:
read only (select) data (A)
A + modify (insert, delete, update) data (B)
B + create tables (C)
C + create tables and also all special privileges (D)
I checked documentation about roles and default privileges, but nothing helps me understand how Postgres work with roles. My actual script for create sample roles:
create database daba;
create role "ra" nologin noinherit; -- default read only role
grant connect on database "daba" to "ra";
grant usage on schema public to "ra" with grant option;
grant select on all tables in schema public to "ra" with grant option;
-- ingore sequences and functions now
create role "rb" nologin inherit;
grant "ra" to "rb"; -- grant connect, grant select
grant insert, update, delete on all tables in schema public to "rb" with grant option;
create role "rc" nologin inherit;
grant "rb" to "rc";
grant all privileges on schema public to "rc" with grant option;
grant all privileges on all tables in schema public to "rc" with grant option;
create role "rd" nologin inherit;
grant "rc" to "rd";
grant "postgres" to "rd";
-- default privileges for new created tables
-- only "rc" and "rd" can create table, "ra" can read it
alter default privileges for role "rc", "rd" in schema public grant select on tables to "ra" with grant option;
-- "rb" and higher can insert, update or delete also
alter default privileges for role "rc", "rd" in schema public grant insert, update, delete on tables to "rb" with grant option;
-- roles done, create users
create role "ua" login encrypted password 'ua' in role "ra";
create role "ub" login encrypted password 'ub' in role "rb";
create role "uc" login encrypted password 'uc' in role "rc";
create role "ud" login encrypted password 'ud' in role "rd";
OK, roles and users are created, now test with errors on lines:
-- connect as "ud"
create table ud_a (a numeric); -- OK
insert into ud_a values (1); -- OK
select * from ud_a; -- OK -- 1 row
-- connect as "uc"
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
-- As user "uc" I cannot insert value, or drop table
insert into ud_a values (2); -- **SQL Error [42501]: ERROR: permission denied for relation ud_a**
drop table ud_a; -- **SQL Error [42501]: ERROR: must be owner of relation ud_a**
-- But I can create new table! As "uc":
create table uc_a (a numeric); -- OK
insert into uc_a values (2); -- OK
-- After this when i connect as more powerfull user - "ud"
-- I cannot even read from this table even though my user "ud" is created under role "rd" with "grant 'rc' to 'rd'":
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
-- Connect as "ua" for read only return also errors for selects:
select * from ud_a; -- SQL Error [42501]: ERROR: permission denied for relation ud_a
select * from uc_a; -- SQL Error [42501]: ERROR: permission denied for relation uc_a
Cleaning:
-- as "postgres":
drop owned by "ud"; drop owned by "uc"; drop owned by "ub"; drop owned by "ua";
drop role "ud"; drop role "uc"; drop role "ub"; drop role "ua";
drop owned by "rd"; drop owned by "rc"; drop owned by "rb"; drop owned by "ra";
drop role "rd"; drop role "rc"; drop role "rb"; drop role "ra";
drop database daba;
I need to create role structure where user A can select all tables created by user C or D and all users inherit from prveious level (so everything which can select user A can select also user B, C and D) and also role D which can drop table created by user under role C and so on...
Can you help me with this?
I am using oracle database 11g Release 2
I am able to create user and give it create session privileges, but I am unable to give it select privilege.
create user user1 identified by pass;
User created.
grant create session to user1;
Grant succeeded.
grant select on emp to user1;
Grant succeeded.
After this I connect as user1
Now when I run this statement it say
select * from emp;
oracle reply=
ERROR at line 1:
ORA-00942: table or view does not exist
Than I checked privileges to user1 using
select * from session_privs;
PRIVILEGE
---------------------------------
CREATE SESSION
Which means only create session privilege is available to user1. How can I give select privileges to user1?
Giving a use the SELECT privilege (or any other privilege for that matter) does not create a synonym. As user1, who is not the table's owner, you should still reference the table by its fully qualified name, with the owner.
Assuming the owner is called owner1, user1's query should be:
SELECT * FROM owner1.emp
As for the data dictionary query, this is also to be expected. These privileges are recorded in the [DBA|ALL|USER]_TAB_PRIVS views:
SELECT * FROM all_tab_privs WHERE grantee = 'USER1'
I use SQL*Plus for school and I use the username Scott. I cannot create views because it says:
ORA-01031: insufficient privileges;
I've searched and searched, but nothing seems to get it right. Any help?
As the error states - your privileges are insufficient to create view - you will have to ask database administrator to grant you this privilege.
If you can log in as database administrator you will have to execute statement(I can't guarantee correctness, no oracle database at hand)
GRANT CREATE ANY VIEW TO Scott;
or
GRANT CREATE VIEW TO Scott;
You need to GRANT the CREATE VIEW privilege to the USER which is creating the view.
For example, I create a new user to let it create a session, a table and a view:
SQL> create user test identified by test;
User created.
SQL> grant create session, create table, create view to test;
Grant succeeded.
SQL> conn test/test#pdborcl;
Connected.
SQL> Create Table advanced
2 (Id varchar(15),
3 Name varchar(20),
4 Dept varchar(15),
5 Cgpa float,
6 Birth_date date,
7 Mob_no int,
8 Dist varchar(20),
9 Salary number(8));
Table created.
SQL> Create View advanced_data as
2 (
3 select name,dept,dist,salary from advanced
4 );
View created.
If I revoke the privilege, you will recieve ORA-01031: insufficient privileges:
SQL> revoke create view from test;
Revoke succeeded.
SQL> conn test/test#pdborcl;
Connected.
SQL> Create or replace View advanced_data as
2 (
3 select name,dept,dist,salary from advanced
4 );
Create or replace View advanced_data as
*
ERROR at line 1:
ORA-01031: insufficient privileges
step 1-conn ss/ss as sysdba;
step 2- GRANT CREATE ANY VIEW TO Scott;
step 3- conn scott/tiger
step 4-create or replace view v as select *from emp;
To log-in as DBA (database administrator) you can use:
sqlplus / as sysdba
or
sqlplus sys as sysdba