Unable to Load data using IBM DB2 Load tool - sql

I am trying to Load a certain data set for a course but it keeps failing and mentions that I do not have the necessary authorization
Error for batch element #1: The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "HLZ16072". Operation: "CREATE TABLE". Object: "DB2INST1.SCHOOL".. SQLCODE=-551, SQLSTATE=42501, DRIVER=4.26.14
Number of occurrences: 1
The error changes to the table is absent when I use error schema, I understand I need to give access using DATAACCESS authority, but I still can't figure out how to give myself the required permissions to Load the CSV file.
Screenshot
The above is the result of :
SELECT GRANTEE, GRANTEETYPE, SECURITYADMAUTH, DATAACCESSAUTH FROM SYSCAT.DBAUTH WHERE 'Y' IN (SECURITYADMAUTH, DATAACCESSAUTH)

Seems, that your user HLZ16072 doesn't have a privilege to create tables in the DB2INST1 schema, and you can't get the information about the user who may grant you such an ability (RCAC on the system catalog tables?).
So, you should either find your database admin and ask him/her on such an ability to grant you the corresponding privileges, or try to understand, which schemas you are allowed to create your tables in. You should try to use the schema HLZ16072 instead of DB2INST1, which is likely the right schema for you. Or try to run the following select statement to find such schemas.
SELECT DISTINCT (P.OBJECTSCHEMA) AS SCHEMA
--P.PRIVILEGE, P.OBJECTTYPE, P.OBJECTSCHEMA, P.OBJECTNAME, U.AUTHID, U.AUTHIDTYPE
FROM SYSIBMADM.PRIVILEGES P
CROSS JOIN TABLE(VALUES 'HLZ16072') A (AUTHID)
JOIN TABLE
(
SELECT GROUP, 'G' FROM table(AUTH_LIST_GROUPS_FOR_AUTHID(A.AUTHID))
UNION ALL
select ROLENAME, 'R' from table(AUTH_LIST_ROLES_FOR_AUTHID(A.AUTHID, 'U'))
UNION ALL
SELECT * FROM TABLE(VALUES ('PUBLIC', 'G'), (A.AUTHID, 'U')) T (AUTHID, AUTHIDTYPE)
) U (AUTHID, AUTHIDTYPE) ON U.AUTHID=P.AUTHID AND U.AUTHIDTYPE=P.AUTHIDTYPE
WHERE P.PRIVILEGE='CREATEIN';

Related

Choosing table from the right owner in Oracle SQL

I am quite new to SQL, and my first "job" is to get something out of an Oracle SQL database.
Just to see what's actually found in my connection I use the following:
SELECT owner, table_name FROM dba_tables
This gives me a bunch of tuples with an owner name and table_name. However, some table names are the same for different owners.
So when I run a command like:
SELECT * FROM MyTableName
How do I ensure that this table is coming from owner1 and not owner2, where both of them actually have a table called MyTableName ?
You can do:
SELECT * FROM <owner>.MyTableName
You can specify exactly which table with
select * from some_owner.my_table;
If you do this:
select * from my_table;
You will be selecting from the version of MY_TABLE that belongs to the owner/user with which you you are connected to the database. So, if you connected as user SCOTT, then
select * from my_table;
effectively becomes
select * from scott.my_table;
Note that this behavior can be overridden by the use of synonyms. Suppose user SCOTT has a synonym like this:
create synonym scott.my_table for fred.my_table;
Then SCOTT issues
select * from my_table;
Then oracle will check first for a synonym, and finding it will effectively transform the query to
select * from fred.my_table;
So in the end, the precedence is this. When you reference a table without qualifying it with the owner, oracle will look for it in this sequence:
is there a user synonym by that name? if so, use what it references if the user has been granted necessary privileges.
is there a global synonym by that name? if so, use what it references if the user has been granted necessary privileges.
does the user itself own a table by that name? if so, use that table.
return error "ORA-00942: table or view does not exist"

sql select permission with conditions

Is it possible to grant select permission on sql table with some conditions.
For example grant select where table.id = < 50
supplemented: i am talking about ms sql
It's not possible directly.
Though to achieve this task, you can create a View initially with required conditions and then Grant select permission to that particular view.
For more details:
mysql GRANT + WHERE
Aer, you haven't said anything about DB engine (which one you are using: Oracle / MS SQL Server / MySQL etc.).
In Oracle for instance you are Granting / Revoking privileges to specific object, and there is no way to limit the output result (with out of the box GRANT statement).
In SQL Server you are able to grant row-level permissions for individual users with some additional effort: https://msdn.microsoft.com/en-us/library/bb669076(v=vs.110).aspx
Example:
CREATE SCHEMA Security
GO
CREATE FUNCTION Security.userAccessPredicate(#UserName sysname)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS accessResult
WHERE #UserName = SUSER_SNAME()
GO
CREATE SECURITY POLICY Security.userAccessPolicy
ADD FILTER PREDICATE Security.userAccessPredicate(UserName) ON dbo.MyTable,
ADD BLOCK PREDICATE Security.userAccessPredicate(UserName) ON dbo.MyTable
GO
enter code here
CREATE VIEW vw_MyTable
AS
RETURN SELECT * FROM MyTable
WHERE UserName = SUSER_SNAME()
GO
In general from the concept perspective if you want to limit users to only certain amount of rows you should do the following:
The basic way would be :
Prevent users (or group) from accessing the base table.
Define a view on top of that table that shows only the rows these users are supposed to see.
Give users SELECT permission on the view.

How to find schema name in Oracle ? when you are connected in sql session using read only user

I am connected to a oracle database with a read only user and i used service name while Setting up connection in sql developer hence i dont know SID ( schema ).
How can i find out schema name which i am connected to ?
I am looking for this because i want to generate ER diagram and in that process at one step it asks to select schema. When i tried to select my user name , i dint get any tables as i guess all tables are mapped with schema user.
Edit: I got my answer partially by the below sql Frank provided in comment , it gave me owner name which is schema in my case. But I am not sure if it is generic solution applicable for all cases.
select owner, table_name from all_tables.
Edit: I think above sql is correct solution in all cases because schema is owner of all db objects. So either i get schema or owner both are same. Earlier my understanding about schema was not correct and i gone through another question and found schema is also a user.
Frank/a_horse_with_no_name Put this in answer so that i can accept it.
Call SYS_CONTEXT to get the current schema. From Ask Tom "How to get current schema:
select sys_context( 'userenv', 'current_schema' ) from dual;
To create a read-only user, you have to setup a different user than the one owning the tables you want to access.
If you just create the user and grant SELECT permission to the read-only user, you'll need to prepend the schema name to each table name. To avoid this, you have basically two options:
Set the current schema in your session:
ALTER SESSION SET CURRENT_SCHEMA=XYZ
Create synonyms for all tables:
CREATE SYNONYM READER_USER.TABLE1 FOR XYZ.TABLE1
So if you haven't been told the name of the owner schema, you basically have three options. The last one should always work:
Query the current schema setting:
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL
List your synonyms:
SELECT * FROM ALL_SYNONYMS WHERE OWNER = USER
Investigate all tables (with the exception of the some well-known standard schemas):
SELECT * FROM ALL_TABLES WHERE OWNER NOT IN ('SYS', 'SYSTEM', 'CTXSYS', 'MDSYS');
How about the following 3 statements?
-- change to your schema
ALTER SESSION SET CURRENT_SCHEMA=yourSchemaName;
-- check current schema
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL;
-- generate drop table statements
SELECT 'drop table ', table_name, 'cascade constraints;' FROM ALL_TABLES WHERE OWNER = 'yourSchemaName';
COPY the RESULT and PASTE and RUN.

SELECT Access to SQL 2005 View with Restricted Access to Underlying Table

I have created a SQL userid, role, and schema in a SQL 2005 database. I have created a SQL View under this schema that selects from a table in the dbo schema. However, I don't want the SQL user to be able to select from this table.
For example:
CREATE VIEW [MySchema].[vwMyView]
AS
SELECT
*
FROM
dbo.MyTable
The user has access to the MySchema view and can query vwMyView with no problems. However, they can also SELECT from dbo.MyTable.
How do I restrict all access to dbo.MyTable? If I deny the SELECT permission on the dbo schema, the user cannot select from the view.
REVOKE select
ON tablename
FROM {user_name}
just revoking select doesn't in itself doesn't revoke other permissions.
Then do an explicit grant select on the view. Not sure if this will work as I have never tried it this way but worth a shot.

pl/sql - compare record counts across 2 user's tables

I have table 'stf_table' under the schema 'staff' with username 'staff'.
I have table 'emp_table' under the schema 'employee' with username 'employee'.
Both of these are under the same database SID/host/port but user 'staff' doesn't have privelege to query tables under schema 'employee' and vice versa (ie. user 'employee' doesn't have privelege to query tables under schema 'staff'). But each user can query the table under their own schema. Note: I cannot grant extra privileges and I don't want to have to dump both tables into a local schema.
Is it possible to write a PL/SQL proc or package that would do the following?
select count(*) from stf_table;
select count(*) from emp_table;
then output both counts to a file (ie a .txt or .dat not concerned) like so:
stf_table count: 47830
emp_table count: 36462
difference: 11368
counts match: FALSE
If you don't want to grant additional privileges to either user, you don't have many options.
You can create a procedure owned by a super user, say an account which has SELECT ANY TABLE, (but not SYS or SYSTEM) which does both counts and calculates the difference.
create function get_diff
return pls_integer
authid definer
as
c1 pls_integer;
c2 pls_integer;
begin
select count(*)
into c1
from staff.stf_table;
select count(*)
into c2
from employee.emp_table;
return abs(c1-c2);
end get_diff;
/
So the crucial thing here is the AUTHID DEFINER. That means the function runs with the permissions of the user who owns the function; because they have the neecssary permissions to query both tables that user can run the function, and so can any other user to whom they grant EXECUTE ON GET_DIFF.
That really is the minimum about of granting you can get away with.
NB: I haven't addressed the question of writing to a file, because I don't really think that's the thrust of your question. The main thing is permissions.
"Is there no way that the proc could connect as user 'staff' save the
count to a file. then connect as user 'employee' save the count to the
same file and compare?"
No. That's not the way the security model works.
STAFF's data is owned by STAFF and EMPLOYEE's data is owned by EMPLOYEE. By default, STAFF cannot see EMPLOYEE's data and vice versa. To change this situation you have two options:
Have STAFF grant SELECT on their table to EMPLOYEE and have EMPLOYEE grant SELECT on their table to STAFF.
Use an account which has privileges on both schemas' tables to do the work.
Obviously, there may well be data protection issues with the first approach. If that is your concern there are some refinements open to you:
Have each schema own a view which just selects a count of their records, and grant privileges on the views.
If you have Enterprise Edition 10gR2 or higher, you can use column-level VPD: grant select on the table put put a policy in place to hide all the sensitive data. Find out more.
Granting permissions is the correct thing to do however as you state this is not possible:
one solution could be to do it at the command line using scripts.
(the biggest drawback is the username & password would be embedded in the script for all to see, so make sure the scripts are appropriately secured)
first create 2 scripts:
a.sql:
set timing off
set feedback off
set pages 0
select count(*) from stf_table;
exit
b.sql:
set timing off
set feedback off
set pages 0
select count(*) from emp_table;
exit
now create a script file extract.bat to get the output:
#echo off
FOR /F "usebackq delims=!" %%i IN (`sqlplus -s username/password#db_a #a.sql`) DO set resulta=%%i
FOR /F "usebackq delims=!" %%i IN (`sqlplus -s username/password#db_b #b.sql`) DO set resultb=%%i
set /a diff=%resulta%-%resultb%
echo stf_table count %resulta%
echo emp_table count %resultb%
echo difference %diff%
IF %diff%=0 (
echo Counts match TRUE
) ELSE (
echo Counts match FALSE)
now simply execute extract.bat at the command prompt
APC is right in that you can't solve this problem easily without granting additional permissions. There might be a simpler way than what he is suggesting.
I would suggest creating a view and granting access to that view to the other schema.
In the STAFF schema you can create a view stf_table_count:
create or replace view stf_table_count
as
select count(*) as num_rows
from stf_count;
Then grant select on that view to the employee schema:
grant select on stf_table_count to employee;
Then from the employee schema you can find the result without getting the data
select num_rows from staff.stf_table_count
union all
select count(*) from emp_table;
You can also repeat this process to get the employee counts in the staff schema.
I'm not really an Oracle database security expert so your mileage may vary on this answer but I think it should work.