I have problem with understanding what exatly i do wrong. Impossibile to give access to another user via role. Example:
System user:
create table testtable (id number);--Table TESTTABLE created
create role testrole;--Role TESTROLE created
grant insert on testtable to testrole;--Grant succeeded
grant testrole to hr;--Grant succeeded
Hr user:
insert into system.testtable values(1)
SQL Error: ORA-00942: table or view does not exist
00942. 00000 - "table or view does not exist"
TL;DR: It works, just reconnect the user hr.
The documentations says
"If you grant a role to a user, then the database makes the role available to the user. The user can immediately enable the role and exercise the privileges in the privilege domain of the role."
So your user hr needs to enable the role before being able to use it:
insert into a.testtable values(1);
ORA-00942: table or view does not exist
SELECT * FROM session_roles;
no rows selected
SET ROLE testrole;
Role set.
SELECT * FROM session_roles;
TESTROLE
insert into a.testtable values(1);
1 row created.
Roles are normally automatically enabled during log on, so you have to do the enabling only if hr has a session open while it gets the role granted. Standard procedure is to disconnect/reconnect the user if there are problems with new roles.
Related
I've created what I think is a very standard user with access to a single role that can query a single table:
create user new_user;
alter user new_user set password = 'some_pw';
create role new_role;
alter user new_user set default_warehouse = 'compute_wh';
alter user new_user set default_role = 'new_role';
grant role new_role to user new_user;
grant usage on warehouse compute_wh to role new_role;
grant usage on schema my_schema to new_role;
grant usage on database my_db to role new_role;
grant select on my_db.my_schema.my_table to role new_role;
GRANT OPERATE ON WAREHOUSE COMPUTE_WH TO ROLE new_role;
However, when I set this user up in a SQL client (like DBeaver), I can't run any queries:
USE WAREHOUSE COMPUTE_WH; -- fails even here
USE DATABASE my_db;
SELECT * FROM my_db.my_schema.my_table;
SQL Error [2043] [02000]: SQL compilation error: Object does not
exist, or operation cannot be performed.
What extra permissions could I be missing?
USE WAREHOUSE COMPUTE_WH; -- fails even here
If user has access to warehouse but cannot use it, it may indicate it is suspended. I would add operate privilige:
GRANT OPERATE ON WAREHOUSE COMPUTE_WH TO ROLE NEW_ROLE;
and check if auto-resume is on or explicitly start warehouse:
ALTER WAREHOUSE IF EXISTS COMPUTE_WH RESUME IF SUSPENDED;
USE WAREHOUSE COMPUTE_WH;
EDIT:
To check current role the following code could be used:
SELECT CURRENT_ROLE();
If the role is different than anticiapted, it could be changed with:
USE ROLE COMPUTE_WH;
In Apache Hive, I set the owner of a database to a role.
Users have been assigned this role.
The users cannot create table in this database.
Error is:
Principal (name=xx, type=USER) does not have following privileges for
operation CREATETABLE on object type database
How can I allow more that one user to have create table (as well as all other privileges) on a database ?
A mistake was made during the definition of the owner.
The command should have been:
alter database mydb set owner role myrole
Instead of
alter database mydb set owner user myrole
I am trying to grant data access rights to a DB/2 database and its tables to a user. I have DB/2 10.5 installed on a CentOS 7 server.
I created a database, schema & table:
create database mydb1
connect to mydb1
create schema myschema
create table myschema.mytab1 (empid int, empname varchar(50))
grant connect, dataaccess on database on database to user osuser2
grant select,insert,update,delete on myschema.mytab1 to user osuser2
When I login as OS user: osuser2 and give the command: db2 select * from myschema.tab1, I get the error:
SQL5193N The current session user does not have usage privilege on any enabled workloads. SQLSTATE=425
What am I doing wrong?
This error is given in many questions such as SQL5193N The current session user does not have usage privilege on any enabled workloads
This error goes away and everything works if I use the command:
grant dbadm on database to user osuser2
Of course, by doing that, the user gets administrative rights can can create / drop tables.
I'm using Oracle 12c on my localhost. I wanted to create trigger for the tables.
It gives me an error:
"ORA-04089: cannot create triggers on objects owned by SYS"
I tried it by creating another user and granted it to create a trigger as it mentioned in this this post.
But it gives me a same error.
Here is my USER's scritp that created
CREATE USER DEVELOPER
IDENTIFIED BY <password>
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 2 Roles for DEVELOPER
GRANT CONNECT TO DEVELOPER CONTAINER=ALL;
GRANT RESOURCE TO DEVELOPER CONTAINER=ALL;
ALTER USER DEVELOPER DEFAULT ROLE NONE;
-- 3 System Privileges for DEVELOPER
GRANT CREATE SESSION TO DEVELOPER;
GRANT CREATE TABLE TO DEVELOPER;
GRANT CREATE TRIGGER TO DEVELOPER;
-- 2 Tablespace Quotas for DEVELOPER
ALTER USER DEVELOPER QUOTA UNLIMITED ON SYSAUX;
ALTER USER DEVELOPER QUOTA UNLIMITED ON USERS;
I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).