I have SQL Server 2008 R2.
I have denied SELECT on all [sys] schema, and INFOMRATION_SCHEMA objects for a user.
But the user has to be able SELECT from INFOMRATION_SCHEMA.PARAMETERS,
but despite the REVOKE:
REVOKE SELECT ON OBJECT::[INFORMATION_SCHEMA].[PARAMETERS] to myUser;
the user still cannot select from that table/view.
I guess I have to REVOKE more, previously DENIED permissions on those system views/tables, but not sure which.
Any thought?
Have you tried:
REVOKE SELECT ON OBJECT::[INFORMATION_SCHEMA].[PARAMETERS] FROM myUser;
Note the change with keyword FROM. Examples are shown on Microsoft's website here.
Its not another [sys] table, but DENY VIEW DEFINITION permission which blocked me.
Related
I have a requirement where I need to revoke users access on a particular schema as we will be purging that schema and its table in future.
Currently, the process followed to create Schema and grant access is like below,
Create Schema
Create DB Role
Create Azure AD Group on azure portal
Create DB User with the same name as AD group
Then, we run EXEC sp_addrolemember command to add DB user to DB role in database.
Finally, we run the Grant command to give permission (Select, Insert etc) on Schema to DB Role.
Now, whenever any new user need access to that schema we simply add him in the Azure AD group and he is able to see and access that schema.
However, when I Revoke the access of user by removing him from Azure AD group he is still able to see that Schema.
As I am not an expert in SQL so I am not sure what am I missing in order to revoke his access.
I also tried Revoke command like below but still the user is able to see the schema.
REVOKE SELECT ON SCHEMA :: Schema_Name TO [DB Role]
Am I missing anything, can anyone please let me know the right steps to revoke user access so that they should not be able to see that schema anymore or should not be able to run any command on that schema not even select command?
Then, in addition to remove it from the AD group, try to deny permissions on the schema:
DENY SELECT,VIEW DEFINITION On SCHEMA::Schema_Name To [user_name]
I was using node.js to work on snowflake datawarehouse as a destination for users. I wanted to check if a user has the required permission level on the schema to create a table and write into it before adding the user to the database otherwise it should give an error saying that the user does not have the appropriate permission level. How can I achieve that programatically?
Thanks,
one way you could do is check if the role has SEELCT privilege on the table by looking into the view TABLE_PRIVILEGES in information_schema schema.
select * from information_schema.TABLE_PRIVILEGES where table_name = 'SALES_RAW'
Due to how permissions can be inherited through the role hierarchy, this isn't easy to do. Permissions aren't assigned to users in Snowflake, they are assigned to roles. You could use the table_privileges in the information schema (as Himanshu said). You'll need to ask your admin for privileges to the information_schema schema in the databsae:
You could probably use some combination of these too:
show grants to user [username]
with
show grants on schema [schema name]
The easiest way would be to have your app / script / service assume the same role as the user and see if you can select from a table in the schema or try to create a temporary table in the schema. If you receive an error code, the user doesn't have permissions!
I have two databases.
Databases:
1. DB1
2. DB2
I have created two new logins.
Logins:
1. DB1_login
2. DB2_login
Next, I created user for each database mapped to the above logins.
create user DB1_login1_user1 for login DB1_login;
create user DB2_login2_user2 for login DB2_login;
So, DB1_login1_user1 user of DB1 database will be mapped to DB1_login1 login and DB2_login2_user2 user of DB2 database will be mapped to DB2_login2 login.
Granted database role permissions for both users is db_datareader and db_datawriter.
In DB2, I have a table named dbo.sample_table.
My requirement:
Let us consider that I have logged in as DB1_login1.
In this login, I have granted permissions for DB1_login1_user1 user to DB1 database.
Now from DB1, I have to select a table dbo.sample_table at DB2, which was mapped to another login DB2_login2.
Below is the query what am I trying to do is.
--CURRENTLY LOGGED IN AS DB1_LOGIN1
USE DB1;
EXECUTE as login='DB2_login2'
select * from DB2.dbo.sample_table
GO
I tried GRANT IMPERSONATE on LOGIN::DB2_login2 to DB1_login1, but it didn't work and also, I'm not aware about granting permissions across logins. I think granting permissions matters and I need help in doing that.
How can I execute the above query successfully?
Any help would be appreciable.
The users you created exist only in their respective databases, so what you're trying to do is not possible. Even if it were, or you allow acces (create users for login) in both databases and give then permissions and enable cross-database access, it would be too much of a security risk.
I'd suggest using stored procedures to acces data cross database. Stored procedure should be signed with a certificate, and the same certificate created in both databases. I've had it implemented on various occasions and it works flawlessly.
There is a great sample of this by Erland Sommarskog here.
I did granting permissions on login.
From administrator login "Sa", I executed the below query.
GRANT IMPERSONATE ON LOGIN::DB2_login to DB1_login;
And then from DB1_login, executed the below query for accessing DB across logins.
USE MASTER;
EXECUTE as login='DB2_login';
SELECT * FROM DB2.dbo.sample_table;
REVERT;
GO
Finally for my situation, I have solved the problem.
I'm getting the following error when trying to read a SQL Job.
The SELECT permission was denied on the object 'sysjobs', database 'msdb', schema 'dbo'
How can I fix this?
You need to GRANT the SELECT permission for the user of your job.
A simple GRANT.
USE pubs
GO
GRANT SELECT
ON authors
TO public
GO
Further information about GRANT
You use the "SQL Server Agent Fixed Database Roles" in msdb (MSDN link): don't assigned permission directly, it'll be a pain to manage
And a "how to" for SSMS: "How to: Configure a User to Create and Manage SQL Server Agent Jobs (SQL Server Management Studio)"
Note: you need a user (MSDN) in one of these roles: no need to GRANT any rights
Make sure you aren't overriding the default user, usually a SQL Agent Account, with a user who does not belong to the necessary role.
I have a database that I need to connect to and select from. I have an SQL Login, let's call it myusername. When I use the following, no SELECT permission shows up:
SELECT * FROM fn_my_permissions ('dbo.mytable', 'OBJECT')
GO
Several times I tried things like:
USE mydatabase
GO
GRANT SELECT TO myusername
GO
GRANT SELECT ON DATABASE::mydatabase TO myusername
GO
GRANT SELECT ON mytable TO myusername
GO
It says the queries execute successfully, but there is never any difference in the first query. What simple thing am I missing to grant database level select permissions.
As a note, I made double sure it was the correct user, correct database, and I have already tried granting table level select permissions. So far I keep getting the error:
SELECT permission denied on object 'mytable', database 'mydatabase', schema 'dbo'.
Any ideas what I'm missing? Thanks in advance.
EDIT/UPDATE:
Upon right clicking the SQL User in SQL Server Management Studio 2008, I discovered every single Database role is checked, including db_denydatareader and db_datareader... might this be blocking my ability to grant permission at the database level? If this is so, what is the purpose of db_denydatareader? It seems silly to me to have a 'DENY' that can't be viewed when querying permissions.
SUMMARY:
Sure enough, that fixed it.
In SSMS - under Databases-->mydatabase-->Security-->Users-->myusername, right click the username, select properties. Under database role membership, make sure db_denydatareader is not checked as this will override whatever permissions you had granted.
Knew it was something simple. :)
Have you tried reconnecting with that SQL user account?