I have an Sybase database and a user that has all privileges to access that database. Now I want to create a new user who can only get the DDL of all objects like user tables,views,procedures,functions etc in database and can only read the data. What are the least privileges or roles that are needed to be granted to the new user? I don't want to perform any kind of alter, update or delete on that database.
You need to be the 'dbo' database user for the database you want to reverse-engineer. The easiest way to achieved this is by granting sa_role & sso_role to the login that you're using to connect to the ASE server.
Related
I am trying to automate creating databases and users in Postgres.
Currently, after I create the databases and users for each database, all users seem to have admin access and can do and see anything, including other databases.
Here is the SQL I'm running:
CREATE DATABASE MY_DB WITH ENCODING 'UTF8';
CREATE USER MY_DB_ADMIN WITH ENCRYPTED PASSWORD 'SUPER_SECRET_PASSWORD';
GRANT ALL PRIVILEGES ON DATABASE MY_DB TO MY_DB_ADMIN;
I'm relatively new to Postgres, so not sure if this is a Postgres nuance thing or SQL in general.
Thanks in advance
Update 1
By "do anything", I mean, I am able to perform selects, create tables etc in other databases.
I have now tried this:
REVOKE ALL ON DATABASE MY_DB FROM MY_DB_ADMIN;
GRANT CREATE, CONNECT, TEMPORARY ON DATABASE MY_DB TO MY_DB_ADMIN;
But this still doesn't work.
User DB_ONE_ADMIN is able to create tables in DB_TWO
GRANT ALL PRIVILEGES ON DATABASE MY_DB TO MY_DB_ADMIN;
The problem is with the last line here, you are granting all privileges on database MY_DB to MY_DB_ADMIN. You need to decide on the access levels for different users if this is something you don't want.
If restriction needs to be applied and current privilege needs to be revoked then use REVOKE command
I'm trying to retrieve the CREATE table statement for multiple tables from oracle SQL Developer so I can run it in SQL Management to create new tables.
However, when highlighting multiple tables and right clicking > Quick DLL> Save to File, my file looks like this:
GRANT INSERT ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT UPDATE ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT SELECT ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT DELETE ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT INSERT ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT SELECT ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT UPDATE ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
Why is there no CREATE table statements in here?
I'm connected as Opsweb and the only tables I can see are under the OPSR user.
You can't see the create DDL for other user's objects. SQL Developer is using dbms_metadata in the background, and from the documentation:
The object views of the Oracle metadata model implement security as follows:
Nonprivileged users can see the metadata of only their own objects.
Nonprivileged users can also retrieve public synonyms, system privileges granted to them, and object privileges granted to them or by them to others. This also includes privileges granted to PUBLIC.
If callers request objects they are not privileged to retrieve, no exception is raised; the object is simply not retrieved.
If nonprivileged users are granted some form of access to an object in someone else's schema, they will be able to retrieve the grant specification through the Metadata API, but not the object's actual metadata.
and so on. As the last bullet above says, you cen get the grants - which is what you are seeing now - but not the actual metadata.
If your user was granted the select_catalog_role you would be able to get the DDL for OPSR's objects, but you'd have to ask your DBA for that and it would probably be easier to connect as that user, or ask someone else who can to do that to perform the extract for you.
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
Is it possible to restrict user access to a postgresql database by specifying a database, rather than a table?
I understand that the line:
GRANT ALL ON tableName TO joeuser
enables this user to access this table and do anything they want. However I want to allow a user access to the database databaseName that contains tableName (and all tables within databaseName), but not all databases on my postgresql server.
Not really, no. Granting privileges to a database:
GRANT ALL ON DATABASE databaseName TO joeuser;
does not automatically grant privileges on objects in the database; and granting privileges on every object that's currently in the database won't automatically grant privileges on any future objects that might be created.
It's not clear exactly what you want. It might be that you're trying to find a single SQL statement that handles all your privileges now and forever more. SQL privileges generally don't work that way.
Depending on the version, you can control connection to the database in two ways.
By editing pg_hba.conf. (Probably not suitable in your case.)
By a GRANT (or REVOKE) CONNECT ON DATABASE... statement. (Since version 8.2.)
You can change the default privileges for tables, views, sequences, and functions. (Version 9.0+)
ALTER DEFAULT PRIVILEGES is a PostgreSQL extension to SQL.
I have created one user named "tuser" with create database rights in SQL server 2005.
and given the 'db_owner' database role of master and msdb database to "tuser".
From this user login when I run the script for create database then it will create new database.
But "tuser" don't have access that newly created database generated from script.
Any one have any idea?, I want to write the script so "tuser" have access that new created database after creation and can have add user permission of newly created database.
I want to give 'db_owner' database roles to "tuser" on that newly created database in the same script which create new database. The script run under 'tuser'.
Grant securityadmin server role to [tuser]
Members of the securityadmin fixed
server role manage logins and their
properties. They can GRANT, DENY, and
REVOKE server-level permissions. They
can also GRANT, DENY, and REVOKE
database-level permissions.
Additionally, they can reset passwords
for SQL Server logins.
CREATE DATABASE says
Each database has an owner that can
perform special activities in the
database. The owner is the user that
creates the database. The database
owner can be changed by using
sp_changedbowner (Transact-SQL).
So tuser should own the DB already.
However, you could set up tuser as db_owner in the model db which used as the template for every db creation
BTW, why make tuser the owner of master and msdb?
If tuser doesn't have access to the new database it means is not the owner. The database owner cannot be denied access into his/her own database.
How does the CREATE DATABASE statement look like? Do you have any AUTHORIZATION clause that would change the database ownership of the new database?
Who is the actual owner of the new database? Check SELECT name, SUSER_SNAME(owner_sid) FROM sys.databases;
Thanks for your input.
i have given access of tuser to database from ehich the new database created.
now the issue is resolved.
Many thanks.