I created table called "SCH.ABC" and created PUBLIC synonym "SCH.ABC" now I want to Grant "select" permission to schema "SCH1" on synonym "ABC" . How can i do that please help resolving this.
I am creating synanym as same name of table, while granting permission we will not specify object type whether it is a table or a synonym.
If given, grant select on ABC to sch1; then which object type will get granted synonym or table ?
You already created a public synonym called abc, and you can grant selecting to a particular schema as
grant select on abc to sch1;
where you do not need to qualify with schema name as sch.abc by connecting to sys or system schemas.
or you can grant to all schemas as
grant select on abc to public;
and you don't need to qualify the public synonym abc with the schema name. Use
select * from abc;
in every schema in the database.
Thank you very much for your interest to answering it. I just now found that, in that case synonym only will get precedence of grant. I tested by drop synonym in my home Schema and tried accessing it in another schema it was giving error and i again created synonym after that it was working fine.
Related
I get this error my when i'm selecting from an mview i created.
select * from mview_age_stats
This mview definition is using an external schema in its definition with the external schema "ext". I tried everything i could find online and gave permission at schema, table and every other level
ALTER DEFAULT PRIVILEGES IN SCHEMA ext GRANT SELECT ON TABLES TO my_user;
GRANT USAGE ON SCHEMA ext to my_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA ext TO my_user;
GRANT SELECT ON ALL TABLES IN SCHEMA ext TO my_user;
my_user is also in couple different groups, i gave the same permissions to each group and also more like this;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_only_group;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_write_only;
None of these worked, however what I noticed is that is i have a statement in my mview definition for transferring the ownership to a superuser - which my company uses in order keep ownership of all tables. If i remove the ownership it magically works but i don't understand how moving the ownership would make a difference since i'm granting permission to my_user anyway
alter table mview_age_stats
owner to main_user;
I have a user rafal and I want to create a table in another schema.
I do it like this:
grant usage on schema tony to rafal,
but when I try to create a table, I still get errors:
create table tony.t1(a int);
ERROR: permission denied for schema tony
and I also grant like this:
grant all on schema tony to rafal;
Is there any other privileges needed? I tried to search but can not find useful information.
The user would need the CREATE privilege.
grant usage, create on schema tony to rafal;
Currently I am using this to grant permissions:
grant select on all tables in schema public to <user_name>;
alter default privileges in schema public grant select on tables to <user_name>;
According to the documentation, the second statement should have resolved the problem. It does not however auto grant permissions to user_name when a new table is added to the public schema.
I am using this user (user_name) to copy data over to another database.
Found the answer. It is in this line in the ALTER DEFAULT PRIVILEGES documentation.
You can change default privileges only for objects that will be created by yourself or by roles that you are a member of.
I was using alter default privileges from a different user than the one creating the tables.
Make sure to set the role to the user creating the table before the alter default privilege statement:
SET ROLE <user_that_creates_new_tables>;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO <user_name>;
To grant default privileges, you need to grant to the user you are creating the table with.
You are creating the tables as SA_user, but reading the tables as READ_user. Your code needs to look like:
ALTER DEFAULT PRIVILEGES
FOR USER SA_user
IN SCHEMA schema_name
GRANT SELECT ON TABLES TO READ_user;
So whenever the SA_user creates a table, it will grant select rights for the READ_user.
I was looking for same thing, I found other way to solve this. Based on postgresql documentation we can create event trigger, so when new table is created, grant query will execute automatically. So no matter who created new table, other user allowed to use it.
CREATE OR REPLACE FUNCTION auto_grant_func()
RETURNS event_trigger AS $$
BEGIN
grant all on all tables in schema public to <username>;
grant all on all sequences in schema public to <username>;
grant select on all tables in schema public to <username>;
grant select on all sequences in schema public to <username>;
END;
$$ LANGUAGE plpgsql;
CREATE EVENT TRIGGER auto_grant_trigger
ON ddl_command_end
WHEN TAG IN ('CREATE TABLE', 'CREATE TABLE AS')
EXECUTE PROCEDURE auto_grant_func();
I had a schema in one oracle DB as ui_prod. I asked my DBA team guys to create exactly same schema like ui_prod but as read only and name it ui_prod_readonly. Usually I will use Oracle SQL developer to connect a DB and query directly with table name like below.
--Connect to ui_prod
select * from table
but why I requested to put owner name infront when query for readonly schema they created for me, as without putting it, I get error table not exist.
--Connect to ui_prod_readonly
select * from ui_prod.table
I have project files which hardcode the sql query with only table names and adding owner name in front will cause many changes and effort. Can anyone explain me on this? or provide me any document/link to read. Thanks
You should look into synonyms, apparently the user you are connecting to the database as is not the owner of the objects. So to view the object you have to prepend the names with the schema name (the owner of the object themselves).
http://www.techonthenet.com/oracle/synonyms.php
CREATE OR REPLACE SYNONYM ui_prod_readonly.synonym_name
FOR ui_prod.object_name
It seems to me that your dbas have not created another set of tables but just granted the existing tables to the user ui_prod_readonly.
When you log in to Oracle, the current schema is the name of the user you used to log in. So if you log in with ui_prod_readonly Oracle checks that schema for the table if you do not qualify it with the owner (=schema).
If you want to change the current schema so that you don't need to fully qualify the tables, you can do that with ALTER SESSION
alter session set current_schema = ui_prod;
Once you have done that, you don't need to fully qualify the table with the owner (=schema).
if you need a user to read the data only
its simple to create new user and grant it only select privilege
you can create user and grant select privilege using
CREATE USER [user] IDENTIFIED BY [your_password];
grant select on table to [user]
I created a read-only user in PostgreSQL and it is still able to create tables:
I created a test DB and then created a readonly2 user. Gave it only select privileges on 2 tables. When I log into this DB as readonly2 user I am still able to create tables:
create database test1
create user readonly2 with password 'readonly';
grant select on test1 to readonly2
grant select on test2 to readonly2
where test1 and test2 are 2 tables in test DB.
Now when I log into the test DB as readonly2 user, I am able to create tables:
test=> create table test55 (id int);
CREATE TABLE
I just want to create a read-only user with select permissions. I do not want to grant create table permissions.
Every table is created in a schema in Postgres. To create a table, a role must have the CREATE privilege for the schema. Per documentation:
CREATE
... For schemas, allows new objects to be created within the schema.
The default schema for a table to be created in is the first schema of the current search_path.
The first schema in the search_path is typically the schema with the same name as the user or the schema public.
And the public schema comes with default privileges:
A user can also be allowed to create objects in someone else's schema.
To allow that, the CREATE privilege on the schema needs to be granted.
Note that by default, everyone has CREATE and USAGE privileges on the
schema public.
Bold emphasis mine.
You can change that:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Be sure to think about consequences first ...
(Either that, or the role is a superuser.)