I have a view called Directors on a SQL database called Theatre. I need to grant all users in this view all privileges.
So far I have this:
GRANT ALL ON Theatre.Director '*'#'.\SQLEXPRESS'
.\SQLEXPRESS Is my SQL host server.
But this returns an error. How Do I complete this task?
GRANT DELETE, INSERT, REFERENCES, SELECT, UPDATE ON Theatre.Director TO public
all users are member of the "public" group. As for the "all" you should avoid using it since it is deprecated.
Related
I need to create a new firebird-db user which has only access to 4 specific tables. Is there a way to do that?
http://www.destructor.de/firebird/gsec.htm isn't really helpful in that regard.
The - third-party - gsec documentation you link does not provide information about granting rights on tables, because gsec is only for managing users in the security database. In Firebird, rights of users are managed in the individual databases using the GRANT (and REVOKE) statements (it is even possible to grant rights to users that do not exist (yet)). Be aware, Firebird 3 deprecated gsec, and since Firebird 2.5, it is recommended to use the SQL user management statements instead of gsec.
You need to create the user, and then give the user privileges to the tables you want. See the Security chapter in the Firebird 2.5 Language Reference.
A regular, authenticated user has no privileges on any database object
until they are explicitly granted, either to that individual user or
to all users bundled as the user PUBLIC.
Specifically:
Create a user:
create user <username> password '<password>';
See also CREATE USER; to create a user, you need to be either SYSDBA, or you need to have and the admin role in the security database, and the RDB$ADMIN role in the current database, and be logged in specifying the RDB$ADMIN role on connect.
Grant the necessary privileges to the user. For example to give SELECT privileges:
grant select on table <tablename> to user <username>;
To allow select, insert, update and delete:
grant select, insert, update, delete on table <tablename> to user <username>;
See also GRANT; to grant permission to an object, you must be either SYSDBA, the owner of the object, be RDB$ADMIN in the current database, or have been granted the privilege(s) with the WITH GRANT OPTION.
When you need to grant the same set of rights to multiple users, it is better to grant rights to a role, and then grant that role to the users. However in Firebird 3 and earlier, to get the rights granted to a role, the user needs to explicitly specify that role on connect (Firebird 4 will introduce roles that are automatically applied).
If I'm creating the role 'VIPGUEST' and giving them object privileges to these environments:
BedroomDEV
KitchenINT
GarageTEST
LivingroomTRN
DiningroomPROD
Create role VIPGUEST not identified
Grant connect to VIPGUEST
Grant create session TO VIPGUEST
Grant delete, execute to VIPGUEST
Grant insert, load, view to VIPGUEST
Grant refresh, references, select to VIPGUEST
Grant update, resource, index, alter to VIPGUEST
How do I combine these to get the results that I want?
I know my statements are incomplete, but I don’t know how.
There are different categories of privileges, such as system, table or procedure ones. Depending on that, GRANT differs.
You can GRANT CREATE SESSION TO VIPGUEST, but can't GRANT DELETE TO VIPGUEST. Delete what? GRANT DELETE ON EMP TO VIPGUEST would make sense.
The same goes for, for example, EXECUTE: you have to say what you'd want to allow VIPGUEST to execute, e.g. GRANT EXECUTE ON p_insert_employee TO VIPGUEST.
Have a look at the Security Guide (of your database version) for some more info.
P.S. Don't grant CONNECT nor RESOURCE. Those were "popular" roles some time ago but will be deprecated in future Oracle database releases. Correct way is what you're trying to do: create your own role with minimum set of privileges which will enable users (who will be granted that role) to work.
I want to GRANT some privileges to a particular user in Firebird like we can do it in MySql as shown below.
CREATE USER 'user123'#'localhost' IDENTIFIED BY 'user123pass';
GRANT CREATE, SELECT, INSERT, DELETE, DROP, UPDATE ON MyTestDb.* TO 'user123'#'localhost';
Is possible in Firebird?
Unfortunately, this is not possible. You will need to grant privileges per table or view explicitly and individually.
See also the GRANT syntax in the Firebird 2.5 Language Reference and the Firebird 3 release notes
I am connecting to my SQL studio manager using Power BI (a report writing software). I only want tables appearing listed under a certain schema, and deny permission to access all others, instead of displaying all tables which it currently does.
Usually, when preventing individual users from accessing a schema, I would use the following code:
revoke select on schema::UnwantedSchema to User
grant select on schema::WantedSchema To User
However, now I want it so ALL users and Logins have these permission settings. Not just the individual user. Is there a way I can do this without having to set the permissions for every individual user?
If you wanted to set the privileges to multiple user logins, You need to create a role and assign the role to the ers to that role. The give required permission to the role created.
Following are the sample steps.
--Create a new role
EXEC sp_addrole 'yourRole'
GO
--Assiging role to the user
EXEC sp_addrolemember 'yourRole', 'yourUser';
GO
--Assigning permissions to the Role
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::YourSchema TO yourRole;
GO
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO yourRole;
GO
Does the following command effectively give the user, "MyUser," permission to execute ALL stored procedures in the database?
GRANT EXECUTE TO [MyDomain\MyUser]
SQL Server 2008 and Above:
/* CREATE A NEW ROLE */
CREATE ROLE db_executor
/* GRANT EXECUTE TO THE ROLE */
GRANT EXECUTE TO db_executor
For just a user (not a role):
USE [DBName]
GO
GRANT EXECUTE TO [user]
SQL Server 2005 introduced the ability to grant database execute permissions to a database principle, as you've described:
GRANT EXECUTE TO [MyDomain\MyUser]
That will grant permission at the database scope, which implicitly includes all stored procedures in all schemas. This means that you don't have to explicitly grant permissions per stored procedure.
You can also restrict by granting schema execute permissions if you want to be more granular:
GRANT EXECUTE ON SCHEMA ::dbo TO [MyDomain\MyUser]
In addition to the answers above, I'd like to add:
You might want to grant this to a role instead, and then assign the role to the user(s).
Suppose you have created a role myAppRights via
CREATE ROLE [myAppRights]
then you can give execute rights via
GRANT EXECUTE TO [myAppRights]
to that role.
Or, if you want to do it on schema level:
GRANT EXECUTE ON SCHEMA ::dbo TO [myAppRights]
also works (in this example, the role myAppRights will have execute rights on all elements of schema dbo afterwards).
This way, you only have to do it once and can assign/revoke all related application rights easily to/from a user if you need to change that later on - especially useful if you want to create more complex access profiles.
Note: If you grant a role to a schema, that affects also elements you will have created later - this might be beneficial or not depending on the design you intended, so keep that in mind.