Imagine a following situation: a database admin creates new user. Let's call him user1. Admin grants privilege A to user1 with grant option.
GRANT A TO user1
WITH GRANT OPTION
Now user1 grants mentioned privilege to user2:
GRANT A TO user2
WITH GRANT OPTION
Let's suppose that admin revokes A from user1:
REVOKE A FROM user1
What happens with user2 granted permissions? Are they still working? Are they deleted? Does the behavior depend on a platform, so it may differ on Oracle, MS SQL, MySQL etc. ? I know that you can specify, such a behavior by using CASCADE keyword in MS SQL, but I've heard, other platforms delete child-grants on default, when the parent is revoked.
In SQL Server revoking a permission from a principal who held that permission with grant option and who has granted that permission to other principals will fail with.
Msg 4611, Level 16, State 1, Line 16
To revoke or deny grantable privileges, specify the CASCADE option.
And to test this stuff on SQL Server create users without logins and use execute as to impersonate them and test the behavior and their effecitve permissions.
drop table if exists foo
create table foo(id int)
create user user1 without login
create user user2 without login
GRANT select on foo TO user1
WITH GRANT OPTION
execute as user='user1'
select * from foo;
GRANT select on foo TO user2
WITH GRANT OPTION
revert
revoke select on foo to user1 --fails
go
revoke select on foo to user1 cascade
execute as user='user2'
select * from foo; --fails
revert
Related
I am trying to create a group that has the right to create databases and roles. And then inherit these privileges with the next role. But the error constantly pops up that I don't have rights
Edited: (mistake between 'gg' and 'ggc', but steel doesn't work)
create role ggc with createdb createrole;
create user gg login password 'gg';
grant ggс to gg;
Always get this error: "SQL Error [42501]"
This way is also doesn't work
CREATE ROLE qwe WITH NOLOGIN CREATEDB CREATEROLE;
CREATE ROLE ads WITH LOGIN PASSWORD 'pass';
GRANT qwe TO ads;
SET ROLE ads;
CREATE DATABASE test;
This behavior is normal and is actually documented here:
The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute. Continuing the above example, we might choose to grant CREATEDB and CREATEROLE to the admin role. Then a session connecting as role joe would not have these privileges immediately, only after doing SET ROLE admin.
You grant roles to users, not the other way round
After creating role RL_WRITE and granting the grant update to table user1.table1 to role and granting role to user2 I get insufficient privileges error.
CREATE ROLE RL_WRITE;
GRANT UPDATE ON user1.table1 TO RL_WRITE;
GRANT RL_WRITE to user2;
logged in as user2, when running the command:
update user1.table1 set datmov = to_date('18/10/21','dd/mm/yy');
*01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges*
I don't understand what might be missing.
I found out what the problem was. User user2 already had the role RL_READ_ONLY and I created the RL_WRITE and then grant it to user2.
But that user2 was set as ALTER USER user2 DEFAULT ROLE RL_READ_ONLY and so, even after having made the GRANT UPDATE ON user1.table1 TO RL_WRITE for the role, and granted this role to user2 the update command did not work.
SOLUTION
Only After doing the command ALTER USER user2 DEFAULT ROLE ALL; That user2 was able to make the updates, inserts and deletes commands that the role RL_WRITE had already had permission.
GRANT SELECT, UPDATE ON user1.table1 TO RL_WRITE;
I have table table1 and I want to grant SELECT to table1 to user user1.
I will use below query to grant SELECT.
grant select on table1 to user1;
But on production I don't know what all grant user1 has on table1.So What will happen if user1 already has SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER and INDEX grant on table1 and execute only SELECT grant.
The SELECT grant will be added, if it doesn't currently exist, to any existing grants for that user.
"If you grant a privilege to a user, then the database adds the privilege to the user's privilege domain."
See the following documentation for your version of the database (this one is 10g, but still applicable):
Applicable Oracle 10g documentation on grants
What will happen if user1 already has SELECT, INSERT, (...) grant on table1 and execute only SELECT grant.
Nothing will happen.
GRANT doesn't work as a switch (i.e. turns a privilege on - another GRANT turns it off - yet another turns it on ... - nope).
if you want to revoke a privilege, you'd do exactly that: REVOKE SELECT ON some_table FROM my_user;
will it be "double-granted" (so that you'd have to revoke it twice?) - nope, it won't
Therefore, if user is already granted SELECT privilege on that table, another grant is useless, but won't do any harm.
I'm attempting to create 4 different roles in Azure SQL database. The 4 role names are READ_ONLY_ACCESS, READ_UPDATE_ACCESS, READ_WRITE_UPDATE_ACCESS, FULL_ACCESS.
-READ_ACCESS - Grant Select
-READ_UPDATE_ACCESS - Grant Select, Update
-READ_WRITE_UPDATE_ACCESS - Grant select, Update, Insert
-FULL_ACCESS - Grant Select, Update, Insert, Delete
My goal is to create these 4 roles with these permissions, and then be able to create a user assigned to one of these roles. Example below of what I want to do after creating these roles:
CREATE USER username WITH PASSWORD = 'password';
ALTER ROLE READ_ACCESS ADD MEMBER username;
I've found a few sites that help with this, but I'm unclear as to whether or not I need to declare whether to deny access to certain permissions as well as declaring the granted access.
First create roles.
create role ApplicationUsers_ReadAccss;
grant select on schema::dbo to ApplicationUsers_ReadAccss;
create role ApplicationUsers_ReadUpdateAccss;
grant select, update on schema::dbo to ApplicationUsers_ReadUpdateAccss;
create role ApplicationUsers_ReadWriteUpdateAccss;
grant select, insert, update on schema::dbo to ApplicationUsers_ReadWriteUpdateAccss;
create role ApplicationUsers_FullAccess;
grant select, insert, update, delete, execute on schema::dbo to ApplicationUsers_FullAccess;
After that create logins and add them to one of the roles.
--create a server-level Login
create login AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
--add a user mapped to that login in each database
create user AppUser for login AppUser;
alter role ApplicationUsers_FullAccess add member AppUser;
Fast :
GRANT SELECT ON SYSTEM.* TO appadmin;
I want to grant AppAdmin the rights of SELECT on all tables of the database
I'm using Oracle SQL, why does my statement not work ?
Using the ANY keyword in reference to a system privilege means that the user can perform the privilege on any objects owned by any user except for SYS. By default, if you are granted a privilege, you cannot assign your privilege to others. You cannot grant or revoke that privilege to or from anyone else.
Sometimes you want to grant privileges to users and have them be able to grant those privileges to other users. When this is the case, we include the with admin keyword in the grant command. When this keyword is used, it will allow the user granted the privilege to grant that privilege to other users.
Here is an example of the usage of the with admin option keyword.
GRANT SELECT ANY TABLE TO User;
GRANT SELECT ANY TABLE TO YOUR_USER;