We have Big-Query on project PRJ-A with 30 datasets
Question:
1/ If we have another project (ex: PRJ-B). How can we grant view permission on PRJ-A for all users on PRJ-B ? (it means: user_01 on PRJ-B can select "dataset" of PRJ-A)
2/ If we have a group user (ten users) and they have not VISA and we do not want to add them to our PRJ-A (because they can view our information about instance,app,configurations ... )
How can we grant view permission for them ? (may be we can use a global user for ten users)
Until now, we intend to use "bq command" to solve : install gcloud sdk tool on server A, after that, grant privileges to ten users can use bq command.
For #1, there is no way to reference all users of Project A in ACL for project B. So, your best options I see : domain or userByEmail or groupByEmail depends on your specifics
If you would need to reference Users of the same project - specialGroup would be your choice
https://cloud.google.com/bigquery/docs/reference/v2/datasets#resource
For #2
I think, groupByEmail (An email address of a Google Group to grant access to.) is your option
Related
|Project
|-Dataset
|-table1
|-table2
I gave the following permissions on a Dataset level.
bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.list
resourcemanager.projects.get
and I gave the following only on table1
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.list
Now user can query table1 but can't see the table1 under dataset in UI. it is as below:
|Project
|-Dataset
And I would like to make it as below.
|Project
|-Dataset
|-table1
Any ideas?
I had a similar issue, I had to share only one table for user connecting with Google sheet in Bigquery.
Here is what I did to make this happen:
I created a new roles as follow:
BigQuery Dataset Traverse
With the following 6 assigned permissions
**bigquery.datasets.get
bigquery.jobs.create
bigquery.jobs.list
bigquery.tables.getData
bigquery.tables.list
resourcemanager.projects.get**
On ce created the new role, I created a group in Workspace and I granted access to this group at the project level to this group with the new role created.
The inheritance was propagated into the project to the tables level.
Finally, to permit user to read data into the table, I granted this role BigQuery Data Viewer on my new group at the tables level.
And for sure, I added the user I need to have access into the new group.
Now they see all Dataset into the project, but they can only access data one table I shared.
Hope it s clear!
Cheer!
What privileges can I grant to let everyone in the world query my information schema? i.e. I want everyone to be able to run:
select * from `projectid`.INFORMATION_SCHEMA.SCHEMATA
Currently I get back:
Access Denied: Table projectid:INFORMATION_SCHEMA.SCHEMATA: User does not have permission to query table projectid:INFORMATION_SCHEMA.SCHEMATA
Usually in BigQuery you set permissions at the dataset level. For example, this query will run for anyone, as the dataset is public for everyone:
SELECT *
FROM `fh-bigquery.flights.INFORMATION_SCHEMA.TABLES`
But you can't do this:
SELECT *
FROM `fh-bigquery.INFORMATION_SCHEMA.SCHEMATA`
This because you need project level permissions to see all my datasets, even the ones I haven't made public.
If you really want to share the schemas of all your datasets with the world, then you could create a custom role just for this, with the bigquery.datasets.get permission:
https://console.cloud.google.com/iam-admin/roles
Then you need to assign this role to all users - but that's not an option.
At the project level, you can assign this role to one of these:
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
G Suite domain: example.com
One option in this case:
Create a Google Group.
Give this new role to this new Google Group.
Make this Google Group free to join.
Tell people "hey, if you want to see my project SCHEMATA, join this group".
Then all will work.
I would like to make the user console available to our users, but I cannot do to if I can't set permissions on individual data sources. That is to say, user A would only have access to use data source A, and user B would only have access to use data source B.
Is it possible to restrict a user or role to a subset of defined datasources?
try this for every datasource: http://mondrian.pentaho.com/documentation/schema.php#Access_control
Make sure the Mondrian One-To-One UserRoleMapper is uncommented in the /pentaho-solutions/system/pentahoObjects.spring.xml file.
It will look like this:
https://help.pentaho.com/Documentation/5.1/0N0/020/080/010/000
I need to give a 'Active Directory User Group' read access to a tabular model database. I am not able to find the group when searched, to add it to a role.
As mentioned here for a database instance, adding the group to 'Logins' in 'Security' Folder is the first step. But 'Security' folder is not there in case of tabular model as shown in screen shot below. First one out of 3 is Tabular Model instance:
(source: sqlmusings.com)
I am admin for the server if that would be required. How to give 'Active Directory User Group' read access to a tabular model?
First, there must be a role defined in the Tabular model. Then you add the active directory group to the list of members. If the model was developed/deployed from a system that doesn't have access to the domain, then the group will have to be added after the fact. This can be done via SSMS...
Navigate to the roles folder:
<SSAS Tabular Instance> | Databases | <tabular model> | Roles
Right-click the role to which you want to add the active directory
group
Select the Membership page
Click Add
...at this point, make sure the correct objects are selected (users, groups, etc), and locations (network, domains, etc)...this window is pretty standard in windows apps.
I'm having big trouble in copying an Oracle DB to the same server but with another name, to use as a development DB.
I'm used to SQL Server, I'm new to Oracle (11g).
I wanted to use the 'Database copy' from SQL Developer, but I'm getting errors all the way. First it was about missing tablespaces.
Then when I manually created them in my new empty DB the errors were about missing users.
I wanted to create the users manually, but then I first needed to create missing roles.
When all that was done, it failed on missing indexes...
How do I copy everything I need with 'Database copy'?
Any advice is greatly appreciated!
SQL Developer copy will only copy objects between schemas. Do you want to just make a copy of a schema? Or a whole new database, including all schemas?
Judging by your question, I'm assuming the latter. If so, RMAN "database duplication" may help you.
See http://www.oracle-base.com/articles/11g/duplicate-database-using-rman-11gr2.php at Tim Hall's excellent site.
The best way for you is to create a new user :
Launch MSDOS Shell Connect to your database using system manager
account
sqlplus / as sysdba
Then write these sequences:
CREATE USER user2 IDENTIFIED BY user2password;
GRANT ALL PRIVILEGE TO user2 WITH ADMIN OPTION;
GRANT CONNECT TO user2;
GRANT DBA TO user2;
exit oracle prompt
In MSDOS Shell again, export your current user1 like this :
exp user1/password
or
exp user1/password#connectString
if you have a connection string specified in tnsnames.ora
Answer all the questions by default, give a name to your export file, and specify that you want to export only the user user1
Then proceed to the importation of the dump in your new user2 like this :
imp user2/password2 fromuser=user1 touser=user2
Answer all the questions by default, give the name to your export file (if you don't change the default folder of CmdShell you will not have to specify the complete folder)
An interesting link on this from Oracle documentation:
http://docs.oracle.com/cd/E11882_01/backup.112/e10642/rcmdupdb.htm#BRADV010