I have a read only user in Postgres. I need to restrict the function pg_sleep() for that user. How can I achieve it?
Related
I have a database with many users who have access to all tables within the DB. There is one table that I would like to restrict access to only a specific few users. So basically granting table access to some while removing table access to the rest. Any thoughts on best way to accomplish this?
You could always DENY SELECT to all users on that table, and then grant it by person for the few you do want to have access to it.
DENY Object Permissions (Transact-SQL)
This question may also help you: SQL Server : can you limit access to only one table
Is there a way to restrict a particular user from making any modification on particular table.
I am thinking to create a Instead of trigger and some how get the login info and restrict the user from running delete/update statements.
But is there any better way to do this, like Sql server has some login permission setting to restrict this
I'd revoke all privileges first (assuming you already have the user)
REVOKE ALL
ON {object_name}
FROM {user_name}
Then grant only SELECT to that user.
GRANT SELECT, INSERT
ON {object_name}
TO {user_name}
If I have two databases 'dbA' and 'dbB' using a normal account I know I can run a query such as
SELECT *
FROM dbA.dbo.TableA a
JOIN dbB.dbo.TableB b ON a.columnA=b.columnB
But I can not figure out how to grant permissions to a loginless account
USE dbA;
CREATE USER [test_user] WITHOUT LOGIN WITH DEFAULT_SCHEMA=[dbo]
GRANT SELECT ON DATABASE::dbA TO [test_user];
I receive an error when trying to give select permission to the loginless user 'test_user' on the other database.
GRANT SELECT ON DATABASE::dbB TO [test_user];
Is it possible to do a database join using loginless users? If so what should the grant statement look like for setting correct permissions?
A user without a login can only access other databases that have the guest user enabled. You might consider using a certificate-mapped user instead if you have a cross-database requirement. See http://www.sommarskog.se/grantperm.html for code.
Users exist at the database level. Only logins exist at the server level.
I believe you can create a view in dbA like so:
use dbA;
create view dbB_TableB as
select *
from dbB.dbo.TableB;
And you can then assign SELECT permissions for the user in dbA to the view.
The goal is to allow all the "Teachers" that have access to the Faculty table to have Select permissions to only their own social security number and not everybody elses. Do any of you know how I can perform something like this? I do have all my users setup as Windows Users and I have a windows group called Teachers, if that helps.
Not possible using the standard permissions in SQL server (that I am aware of)
You will need to implement this kind of constraint in your code.
You could in theory pass in the SS# and query based on this and raise an error if they do not match.
Social security numbers shoud be encrypted so they can't see each others numbers if they call up the record. You can use a decryption proc to allow them to decrypt that checks the userid against the profile id and will only decrypt if they match.
Implementing Row-level Permissions
Row-level permissions are used for applications that store information in a single table. Each row has a column that defines a differentiating parameter, such as a user name, label or other identifier. You then create parameterized stored procedures, passing in the appropriate value. Users can see only rows that match the supplied value.
The following steps describe how to configure row-level permissions based on a user or login name.
Create the table, adding an additional column to store the name.
Create a view that has a WHERE clause based on the user name column. This will restrict the rows returned to those with the specified value. Use one of the built-in functions to specify a database user or login name. This eliminates the need to create different views for different users.
' Returns the login identification name of the user.
WHERE UserName = SUSER_SNAME()
' USER_NAME or CURRENT_USER Return the database user name.
WHERE UserName = CURRENT_USER()
Create stored procedures to select, insert, update, and delete data based on the view, not the base tables. The view provides a filter that restricts the rows returned or modified.
For stored procedures that insert data, capture the user name using the same function specified in the WHERE clause of the view and insert that value into the UserName column.
Deny all permissions on the tables and views to the public role. Users will not be able to inherit permissions from other database roles, because the WHERE clause is based on user or login names, not on roles.
Grant EXECUTE on the stored procedures to database roles. Users can only access data through the stored procedures provided.
Im writing a simple utility that will allow our users to run simple select SQL statements on the DB to retrieve data they require. Just a textbox and a button and when they click the button it will spit out the query results in a list.
The problem I have is I only want them to be able to run SELECT statements. I dont want any edit statements to be executed i.e. update, insert, delete, drop etc.
Is there a simple way to parse a sql string to make sure its only a read only select statement entered?
A better way would be to use sql permissions. As a datareader, your users will only be able to SELECT. exec sp_addrolemember db_datareader, <user>
Best way to deal with this is by creating a user that only has limited permissions.
If you want to allow users to read data from all tables then you can go with what Steve D already suggested.
If you want to allow users to read data from only some tables but not all then you need to create a user that only has ‘public’ role and then GRANT SELECT for specific tables.
Make sure user only has ‘public’ selected here for a given database
Then just execute this query for all tables
grant select on <schema>.<table> to <user>