I'm currently dealing with some GRANT options using Oracle Database Express Edition 11g. Consider the following small code example where some users grant some privileges to other users:
-- User A
GRANT Select, Insert, Update, Delete ON T TO B,C WITH GRANT OPTION ;
-- User B
GRANT Select ON T TO C WITH GRANT OPTION ;
GRANT Insert ON T TO C ;
-- USer C
GRANT Select, Insert, Update ON T TO D ;
User A is the creator of Table T and performs the following REVOKE operation.
Now REVOKE Update ON T FROM C is performed. Since no constraint is specified, the REVOKE operation should either cancel, because otherwise there would be an abandoned UPDATE privilege at D, or delete the privileges of both C and D.
Now my question is: Is the REVOKE statement actually cancelled or removes both C and D privileges? Or in other words, is the result after executing that revoke statement that both C and D still have the UPDATE privilege or not?
Thanks in advance.
Revoke object privilege
If user has granted the privilege to other users or roles, then the database also revokes the privilege from those other users or roles.
The correct REVOKE statement is:
REVOKE object_priv [(column1, column2..)] ON [schema.]object
FROM {user, | role, |PUBLIC} [CASCADE CONSTRAINTS] [FORCE]
There is no RESTRICT in Oracle. The RESTRICT exists in PostgresSQL, MariaDB, etc.
However I think your intended way is just REVOKE Update ON T FROM C executed from A user.
After that there is no any error and users C and D do NOT have privilege to update T.
Related
I have table table1 and I want to grant SELECT to table1 to user user1.
I will use below query to grant SELECT.
grant select on table1 to user1;
But on production I don't know what all grant user1 has on table1.So What will happen if user1 already has SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER and INDEX grant on table1 and execute only SELECT grant.
The SELECT grant will be added, if it doesn't currently exist, to any existing grants for that user.
"If you grant a privilege to a user, then the database adds the privilege to the user's privilege domain."
See the following documentation for your version of the database (this one is 10g, but still applicable):
Applicable Oracle 10g documentation on grants
What will happen if user1 already has SELECT, INSERT, (...) grant on table1 and execute only SELECT grant.
Nothing will happen.
GRANT doesn't work as a switch (i.e. turns a privilege on - another GRANT turns it off - yet another turns it on ... - nope).
if you want to revoke a privilege, you'd do exactly that: REVOKE SELECT ON some_table FROM my_user;
will it be "double-granted" (so that you'd have to revoke it twice?) - nope, it won't
Therefore, if user is already granted SELECT privilege on that table, another grant is useless, but won't do any harm.
Imagine a following situation: a database admin creates new user. Let's call him user1. Admin grants privilege A to user1 with grant option.
GRANT A TO user1
WITH GRANT OPTION
Now user1 grants mentioned privilege to user2:
GRANT A TO user2
WITH GRANT OPTION
Let's suppose that admin revokes A from user1:
REVOKE A FROM user1
What happens with user2 granted permissions? Are they still working? Are they deleted? Does the behavior depend on a platform, so it may differ on Oracle, MS SQL, MySQL etc. ? I know that you can specify, such a behavior by using CASCADE keyword in MS SQL, but I've heard, other platforms delete child-grants on default, when the parent is revoked.
In SQL Server revoking a permission from a principal who held that permission with grant option and who has granted that permission to other principals will fail with.
Msg 4611, Level 16, State 1, Line 16
To revoke or deny grantable privileges, specify the CASCADE option.
And to test this stuff on SQL Server create users without logins and use execute as to impersonate them and test the behavior and their effecitve permissions.
drop table if exists foo
create table foo(id int)
create user user1 without login
create user user2 without login
GRANT select on foo TO user1
WITH GRANT OPTION
execute as user='user1'
select * from foo;
GRANT select on foo TO user2
WITH GRANT OPTION
revert
revoke select on foo to user1 --fails
go
revoke select on foo to user1 cascade
execute as user='user2'
select * from foo; --fails
revert
If I'm creating the role 'VIPGUEST' and giving them object privileges to these environments:
BedroomDEV
KitchenINT
GarageTEST
LivingroomTRN
DiningroomPROD
Create role VIPGUEST not identified
Grant connect to VIPGUEST
Grant create session TO VIPGUEST
Grant delete, execute to VIPGUEST
Grant insert, load, view to VIPGUEST
Grant refresh, references, select to VIPGUEST
Grant update, resource, index, alter to VIPGUEST
How do I combine these to get the results that I want?
I know my statements are incomplete, but I don’t know how.
There are different categories of privileges, such as system, table or procedure ones. Depending on that, GRANT differs.
You can GRANT CREATE SESSION TO VIPGUEST, but can't GRANT DELETE TO VIPGUEST. Delete what? GRANT DELETE ON EMP TO VIPGUEST would make sense.
The same goes for, for example, EXECUTE: you have to say what you'd want to allow VIPGUEST to execute, e.g. GRANT EXECUTE ON p_insert_employee TO VIPGUEST.
Have a look at the Security Guide (of your database version) for some more info.
P.S. Don't grant CONNECT nor RESOURCE. Those were "popular" roles some time ago but will be deprecated in future Oracle database releases. Correct way is what you're trying to do: create your own role with minimum set of privileges which will enable users (who will be granted that role) to work.
Fast :
GRANT SELECT ON SYSTEM.* TO appadmin;
I want to grant AppAdmin the rights of SELECT on all tables of the database
I'm using Oracle SQL, why does my statement not work ?
Using the ANY keyword in reference to a system privilege means that the user can perform the privilege on any objects owned by any user except for SYS. By default, if you are granted a privilege, you cannot assign your privilege to others. You cannot grant or revoke that privilege to or from anyone else.
Sometimes you want to grant privileges to users and have them be able to grant those privileges to other users. When this is the case, we include the with admin keyword in the grant command. When this keyword is used, it will allow the user granted the privilege to grant that privilege to other users.
Here is an example of the usage of the with admin option keyword.
GRANT SELECT ANY TABLE TO User;
GRANT SELECT ANY TABLE TO YOUR_USER;
I would like to give a user all the permissions on a database without making it an admin.
The reason why I want to do that is that at the moment DEV and PROD are different DBs on the same cluster so I don't want a user to be able to change production objects but it must be able to change objects on DEV.
I tried:
grant ALL on database MY_DB to group MY_GROUP;
but it doesn't seem to give any permission.
Then I tried:
grant all privileges on schema MY_SCHEMA to group MY_GROUP;
and it seems to give me permission to create objects but not to query\delete objects on that schema that belong to other users
I could go on by giving USAGE permission to the user on MY_SCHEMA but then it would complain about not having permissions on the table ...
So I guess my question is: is there any easy way of giving all the permissions to a user on a DB?
I'm working on PostgreSQL 8.1.23.
All commands must be executed while connected to the right database cluster. Make sure of it.
Roles are objects of the database cluster. All databases of the same cluster share the set of defined roles. Privileges are granted / revoked per database / schema / table etc.
A role needs access to the database, obviously. That's granted to PUBLIC by default. Else:
GRANT CONNECT ON DATABASE my_db TO my_user;
Basic privileges for Postgres 14 or later
Postgres 14 adds the predefined, non-login roles pg_read_all_data / pg_write_all_data.
They have SELECT / INSERT, UPDATE, DELETE privileges for all tables, views, and sequences. Plus USAGE on schemas. We can GRANT membership in these roles:
GRANT pg_read_all_data TO my_user;
GRANT pg_write_all_data TO my_user;
This covers all basic DML commands (but not DDL, and not some special commands like TRUNCATE or the EXECUTE privilege for functions!). The manual:
pg_read_all_data
Read all data (tables, views, sequences), as if having SELECT rights
on those objects, and USAGE rights on all schemas, even without
having it explicitly. This role does not have the role attribute
BYPASSRLS set. If RLS is being used, an administrator may wish to
set BYPASSRLS on roles which this role is GRANTed to.
pg_write_all_data
Write all data (tables, views, sequences), as if having INSERT,
UPDATE, and DELETE rights on those objects, and USAGE rights on
all schemas, even without having it explicitly. This role does not
have the role attribute BYPASSRLS set. If RLS is being used, an
administrator may wish to set BYPASSRLS on roles which this role is
GRANTed to.
All privileges without using predefined roles (any Postgres version)
Commands must be executed while connected to the right database. Make sure of it.
The role needs (at least) the USAGE privilege on the schema. Again, if that's granted to PUBLIC, you are covered. Else:
GRANT USAGE ON SCHEMA public TO my_user;
Or grant USAGE on all custom schemas:
DO
$$
BEGIN
-- RAISE NOTICE '%', ( -- use instead of EXECUTE to see generated commands
EXECUTE (
SELECT string_agg(format('GRANT USAGE ON SCHEMA %I TO my_user', nspname), '; ')
FROM pg_namespace
WHERE nspname <> 'information_schema' -- exclude information schema and ...
AND nspname NOT LIKE 'pg\_%' -- ... system schemas
);
END
$$;
Then, all permissions for all tables (requires Postgres 9.0 or later).
And don't forget sequences (if any):
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO my_user;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO my_user;
Alternatively, you could use the "Grant Wizard" of pgAdmin 4 to work with a GUI.
This covers privileges for existing objects. To also cover future objects, set DEFAULT PRIVILEGES. See:
Grant privileges for a particular database in PostgreSQL
How to manage DEFAULT PRIVILEGES for USERs on a DATABASE vs SCHEMA?
There are some other objects, the manual for GRANT has the complete list. As of Postgres 14:
privileges on a database object (table, column, view, foreign table, sequence, database, foreign-data wrapper, foreign server, function, procedure, procedural language, schema, or tablespace)
But the rest is rarely needed. More details:
Grant privileges for a particular database in PostgreSQL
How to grant all privileges on views to arbitrary user
Consider upgrading to a current version.
GRANT ALL PRIVILEGES ON DATABASE "my_db" to my_user;
In PostgreSQL 9.0+ you would do the following:
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA MY_SCHEMA TO MY_GROUP;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA MY_SCHEMA TO MY_GROUP;
If you want to enable this for newly created relations too, then set the default permissions:
ALTER DEFAULT PRIVILEGES IN SCHEMA MY_SCHEMA
GRANT ALL PRIVILEGES ON TABLES TO MY_GROUP;
ALTER DEFAULT PRIVILEGES IN SCHEMA MY_SCHEMA
GRANT ALL PRIVILEGES ON SEQUENCES TO MY_GROUP;
However, seeing that you use 8.1 you have to code it yourself:
CREATE FUNCTION grant_all_in_schema (schname name, grant_to name) RETURNS integer AS $$
DECLARE
rel RECORD;
BEGIN
FOR rel IN
SELECT c.relname
FROM pg_class c
JOIN pg_namespace s ON c.namespace = s.oid
WHERE s.nspname = schname
LOOP
EXECUTE 'GRANT ALL PRIVILEGES ON ' || quote_ident(schname) || '.' || rel.relname || ' TO ' || quote_ident(grant_to);
END LOOP;
RETURN 1;
END; $$ LANGUAGE plpgsql STRICT;
REVOKE ALL ON FUNCTION grant_all_in_schema(name, name) FROM PUBLIC;
This will set the privileges on all relations: tables, views, indexes, sequences, etc. If you want to restrict that, filter on pg_class.relkind. See the pg_class docs for details.
You should run this function as superuser and as regular as your application requires. An option would be to package this in a cron job that executes every day or every hour.
I did the following to add a role 'eSumit' on PostgreSQL 9.4.15 database and provide all permission to this role :
CREATE ROLE eSumit;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO eSumit;
GRANT ALL PRIVILEGES ON DATABASE "postgres" to eSumit;
ALTER USER eSumit WITH SUPERUSER;
Also checked the pg_table enteries via :
select * from pg_roles;
Database queries snapshot :
In PostgreSQL 12 and later, it is possible to grant all privileges of a table in a database to a role/user/account.
The syntax is:
GRANT ALL ON table_name TO role_name;
If you want to grant it to all tables in the database then the syntax will be:
GRANT ALL ON ALL TABLES TO role_name;
If you want to grant it to all tables of a schema in the database then the syntax will be:
GRANT ALL ON ALL TABLES IN SCHEMA schema_name TO role_name;
Note: Remember you will need to select the database before you can grant its privileges to a user.
Resources: PostgreSQL GRANT
That's all
I hope this helps
GRANT USAGE ON SCHEMA schema_name TO user;
GRANT ALL ON SCHEMA schema_name TO user_name;
Give all permissions to a user on a PostgreSQL database:
Command:
grant all privileges on database [database_name] to [database_user_name];
Example:
grant all privileges on database studentdb to shaifullah;
OR
GRANT ALL PRIVILEGES ON DATABASE studentdb TO shaifullah;