As I understand in Oracle, one schema is only for one user and if you (granter) grant privileges to another user (grantee) to access that schema, that schema is copied to the grantee's schema while MySQL just provides access to access the database without copying.
E.g. If user1 is schema1 and if you grant privileges to user2 to access schema1. Will those tables in schema1 be copied to the schema (could be schema2) of user2. How does that work behind the scene?
And,
If I grant only select privileges to user2 to access user1.table1, Will table1 be copied to the schema of user2? Or does user2 only get access to table1 while table1 will still be in schema1?
GRANT SELECT ON user1.table1 TO user2;
Please help me understand how does oracle grant privileges works. Thank you.
that schema is copied to the grantee's schema
That's completely wrong.
The grantee only gets the privilege to access the tables in the other schema. To access the table the grantee needs to prefix the table reference with the grantor's schema:
e.g. user2 needs to run:
select *
from user1.table1;
Nothing is being copied, the query directly access the table in the other schema.
Related
I get this error my when i'm selecting from an mview i created.
select * from mview_age_stats
This mview definition is using an external schema in its definition with the external schema "ext". I tried everything i could find online and gave permission at schema, table and every other level
ALTER DEFAULT PRIVILEGES IN SCHEMA ext GRANT SELECT ON TABLES TO my_user;
GRANT USAGE ON SCHEMA ext to my_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA ext TO my_user;
GRANT SELECT ON ALL TABLES IN SCHEMA ext TO my_user;
my_user is also in couple different groups, i gave the same permissions to each group and also more like this;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_only_group;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_write_only;
None of these worked, however what I noticed is that is i have a statement in my mview definition for transferring the ownership to a superuser - which my company uses in order keep ownership of all tables. If i remove the ownership it magically works but i don't understand how moving the ownership would make a difference since i'm granting permission to my_user anyway
alter table mview_age_stats
owner to main_user;
I have table table1 and I want to grant SELECT to table1 to user user1.
I will use below query to grant SELECT.
grant select on table1 to user1;
But on production I don't know what all grant user1 has on table1.So What will happen if user1 already has SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER and INDEX grant on table1 and execute only SELECT grant.
The SELECT grant will be added, if it doesn't currently exist, to any existing grants for that user.
"If you grant a privilege to a user, then the database adds the privilege to the user's privilege domain."
See the following documentation for your version of the database (this one is 10g, but still applicable):
Applicable Oracle 10g documentation on grants
What will happen if user1 already has SELECT, INSERT, (...) grant on table1 and execute only SELECT grant.
Nothing will happen.
GRANT doesn't work as a switch (i.e. turns a privilege on - another GRANT turns it off - yet another turns it on ... - nope).
if you want to revoke a privilege, you'd do exactly that: REVOKE SELECT ON some_table FROM my_user;
will it be "double-granted" (so that you'd have to revoke it twice?) - nope, it won't
Therefore, if user is already granted SELECT privilege on that table, another grant is useless, but won't do any harm.
I’m pulling data from mysql ec2 instances, to s3 buckets, then creating views in redshift. I want to create database users who can only query and see certain views created specifically for them in Redshift. I have example code below that I use to create the user, view, and grant access. The issue I have is that I also have to grant access to the underlying schema the view is created from, which means the user can see and query tables in that schema. Also the user can see other schemas in the database, even ones they can’t query. Is there a way to only grant users to specific views, and make it so they can’t see other schemas they don’t have access to?
Code:
--create schema
create schema tst_user_schema;
--create view in schema
create view tst_user_schema.inventory_report_customer as (
select * from user341.inventory_report_customer
)
with no schema binding;
--creating user
CREATE USER tstuser PASSWORD 'tstPassword';
--grant access
GRANT USAGE ON SCHEMA tst_user_schema TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA tst_user_schema TO tstuser;
--grant access
GRANT USAGE ON SCHEMA user341 TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA user341 TO tstuser;
--grant access
GRANT USAGE ON SCHEMA tst_user_schema TO tstuser;
--grant read access to all tables in schema
GRANT SELECT ON ALL TABLES IN SCHEMA tst_user_schema TO tstuser;
to recap:
schema user341 - contains source tables, user should not be able to select from tables in this schema. You also want to hide it form the user
tst_user_schema - contains views user is supposed to be able to select from.
Looking at your GRANT statements, you're granting user unnecessarily SELECT permission on ALL TABLES IN SCHEMA user341. For views to work you only need to GRANT USAGE on that schema.
So REVOKE those permissions, and user should not be able to select.
REVOKE SELECT ON ALL TABLES IN SCHEMA user341 FROM tstuser;
Tip: to easily test permissions, you can start a session as tstuser using SET SESSION AUTHORIZATION directive and then test which statements are allowed and which not.
SET SESSION AUTHORIZATION tstuser
Regarding schema visibility - unfortunately there's no way to hide or forbid user from seening all tables and columns in all schemas. One can only restrict access to data.
I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).
I created a view in schema A using snapshots in schema B. I was trying to assign roles to the view. But it doesnt allow me to. It says there is some error related to access to the tables from the snapshots.
Any ideas?
Schema B needs to grant schema A select on the snapshots "WITH GRANT OPTION" ("WITH ADMIN OPTION" is only for system privileges, not object privileges):
grant select on TABLE_NAME to A with grant option;
Schema B needs to grant schema A select on the snapshots "with grant option" for schema A to be able to pass on the grants to other schemas/roles.
GRANT SELECT ON my_table TO a WITH GRANT OPTION;