i have one user who have ddladmin membership i want to restrict him on creating table on dbo schema can i do that ?
or i have to go for user define role
You can use REVOKE for CREATE TABLE on the database to restrict that user from creating any tables.
Try the following sample:
REVOKE CREATE TABLE ON <DB_Name> FROM <UserName>
for Schema level, please try the following:
REVOKE CREATE TABLE ON SCHEMA::<schema_name> TO <UserName>
Related
I think I'm missing something when it comes to grant alter table. I'm looking at the AWS docs
https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html
And they say I can grant alter table to a role. I've tried running grant alter table to user but that gives me SQL Error [0LP01]: ERROR: Grant/Revoke system privilege on User is not supported.. So, I'm confused on what exactly a role in redshift is and how it works. Using rows, could I grant a group of people alter table permissions on a single schema?
I think you are being crossed up by the fact the GRANT ALTER is for external datalake objects only. It has to do with modifying the external datastore and isn't meant for normal Redshift tables.
If memory serves the ability to ALTER a normal table is linked with DROP permission. Otherwise it is linked to table ownership.
You can grant "ALTER TABLE" in this way.
create role testingaltertablerole;
create user testingaltertableuser with password disable;
grant alter table to role testingaltertablerole;
grant role testingaltertablerole to testingaltertableuser;
At the moment, there's no way to grant this permission for a single table, AFAIK.
I have a user db_owner who is owner to my database called 'Sales'.
Now i have to create two groups(sales_ro and sales_riu) and then i will add users to this groups.
sales_ro group should inherit(from db_owner) read access on tables and execute on functions in Sales db
sales_riu group should inherit(from db_owner) insert and update access on tables and execute on functions in Sales db.
can we create such two groups in Postgres ?
You don't need to create groups to achieve this. You can just create Roles and assign them to the users you want. For example:
CREATE ROLE sales_ro;
CREATE ROLE sales_riu;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO sales_ro;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT,INSERT,UPDATE ON TABLES TO sales_riu;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO sales_riu;
After that just grant role to expected users:
GRANT sales_ro TO your_user_1;
GRANT sales_riu TO your_user_2;
Please refer link 1 and link 2 to know more about ALTER DEFAULT PRIVILEGES and CREATE ROLE respectively.
Quoting below points from above links:
CREATE ROLE adds a new role to a PostgreSQL database cluster. A role
is an entity that can own database objects and have database
privileges; a role can be considered a “user”, a “group”, or both
depending on how it is used.
A role having the LOGIN attribute can be thought of as a user. Roles
without this attribute are useful for managing database privileges
In SQL Server, I want to create a database with multiple Schemas each of which relevant to a specific Domain of my application.
I would also like to create a restricted access to each schema meaning that when a user logs in to the database (either from ssms or from entityframework inside application) he/she can only access to objects in the database with the one specific schema he/she has access to and also can do all ddl/dml commands with that schema.
I have came up with the following solution:
1- Create a database login
CREATE LOGIN [AccountingDataBaseLogin] WITH PASSWORD='AccountingDataBaseLoginPassword'
2- Create a database user for the created login in step 1.
CREATE USER [AccountingDataBaseUser] FOR LOGIN [AccountingDataBaseLogin]
3- Create a Schema:
BEGIN
EXECUTE('CREATE SCHEMA Accounting AUTHORIZATION AccountingDataBaseUser')
ALTER USER AccountingDataBaseUser WITH DEFAULT_SCHEMA = Accounting
ALTER AUTHORIZATION ON SCHEMA::Accounting TO AccountingDataBaseUser;
GRANT CREATE TABLE TO AccountingDataBaseUser;
GRANT CREATE VIEW TO AccountingDataBaseUser;
GRANT CREATE PROCEDURE TO AccountingDataBaseUser;
GRANT CREATE TYPE TO AccountingDataBaseUser;
GRANT CREATE FUNCTION TO AccountingDataBaseUser;
GRANT CREATE DEFAULT TO AccountingDataBaseUser;
END
In my application I create a seperate .edmx file for each Schema and I will have to have a distinct connection string for each .edmx as follows:
<add name="AccountingDataBaseEntities" connectionString="metadata=res://*/ModelDesigners.Accounting.AccountingDataBaseModel.csdl|res://*/ModelDesigners.Accounting.AccountingDataBaseModel.ssdl|res://*/ModelDesigners.Accounting.AccountingDataBaseModel.msl;provider=System.Data.SqlClient;provider connection string="data source=.;initial catalog=APADataBase;user id=AccountingDataBaseLogin;password=AccountingDataBaseLoginPassword;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
I would like to know if what I am doing is the best way to achieve what I want and if not what would be a better way?
You can grant permissions to the schema directly:
GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::Accounting TO AccountingDataBaseUser;
If you have more than one users need to access the same schema, you can create a database role and GRANT the above permissions to the role. Then add the users to the role.
That is a reasonable implementation of your objective. In particular, you didn't make the common mistake of having the schema owned by dbo and allowing other users to create objects in it.
A couple of possible improvements to your model are
1) Have a role own the schema instead of a user
2) Have one role for the schema owner, and another one without DDL privileges for the application
Is there a way for an AWS Redshift user to have select only access on newly created schemas created by a separate Redshift user?
For example, if I create a user as follows:
CREATE USER francesco_totti WITH PASSWORD xxxxxx;
GRANT USAGE ON SCHEMA "forza_roma" to francesco_totti;
GRANT SELECT on all TABLES in schema "forza_roma" to francesco_totti;
ALTER DEFAULT PRIVILEGES IN SCHEMA "forza_roma" GRANT SELECT ON TABLES TO francesco_totti;
How can I grant the francesco_totti user access to schemas that are created later on by a separate user? I want to alter the default privileges to allow francesco_totti to read from newly created schemas. Is this possible?
This is not possible as It's against the data security policy. We need to provide Authorization and access to each individual user or user group. What you can do is create a group and provide access
I created a read-only user in PostgreSQL and it is still able to create tables:
I created a test DB and then created a readonly2 user. Gave it only select privileges on 2 tables. When I log into this DB as readonly2 user I am still able to create tables:
create database test1
create user readonly2 with password 'readonly';
grant select on test1 to readonly2
grant select on test2 to readonly2
where test1 and test2 are 2 tables in test DB.
Now when I log into the test DB as readonly2 user, I am able to create tables:
test=> create table test55 (id int);
CREATE TABLE
I just want to create a read-only user with select permissions. I do not want to grant create table permissions.
Every table is created in a schema in Postgres. To create a table, a role must have the CREATE privilege for the schema. Per documentation:
CREATE
... For schemas, allows new objects to be created within the schema.
The default schema for a table to be created in is the first schema of the current search_path.
The first schema in the search_path is typically the schema with the same name as the user or the schema public.
And the public schema comes with default privileges:
A user can also be allowed to create objects in someone else's schema.
To allow that, the CREATE privilege on the schema needs to be granted.
Note that by default, everyone has CREATE and USAGE privileges on the
schema public.
Bold emphasis mine.
You can change that:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Be sure to think about consequences first ...
(Either that, or the role is a superuser.)