Please explain what is the meaning of Create User and Create Role in PostgreSQL i am new at PostgreSQL.
I try to learn bye myself i understand Create User mean that user who are able to access database cluster and mange it in with in same computer where database cluster is created or from another computer with username and password.
And I think create Role mean which new user i create that user have which kind of role. If i set create role to user that he is not able to change database so he can't. But if i set create role this user are able to change database he can.
Can anyone explain more clearly?
Thanks in advance
In PostgreSQL 9.4 documentation it says:
CREATE USER is now an alias for CREATE ROLE. The only difference is that when the command is spelled CREATE USER, LOGIN is assumed by default, whereas NOLOGIN is assumed when the command is spelled CREATE ROLE.
So your question about CREATE ROLE and CREATE USER transfers to the question about the difference between the LOGIN and NOLOGIN attribute as PostgreSQL knows only roles.
According to the description the LOGIN/NOLOGIN attribute determines whether or not a role can be used to connect from a client. A client can be anything from your pgAdmin III to lets say a web application.
To test this you might want to create a role with LOGIN attribute and use it instead of your postgres role to connect to your server via pdAdmin III.
A role with NOLOGIN attribute can't do this. This type of role can be regarded as an object you can add privileges to. LOGIN roles might then inherit those privileges by adding them as a member.
One can think of the whole matter in terms of groups and users being members of groups.
So after all I think this is just another way of expressing what you already said.
Related
I'm running a SAP HANA database in HDI container and created a corresponding HDI Container admin. I would like to be able to grant users (for support purpose) access not to the whole schema, but only to a few selected tables. How to do it? All examples I found online look like this - and grant access only to a whole schema
CREATE ROLE SCHEMA_NAME.ROLE_NAME NO GRANT TO CREATOR;
GRANT SELECT ON SCHEMA SCHEMA_NAME TO ROLE_NAME;
I know there is an option to use .hdbrole file during deployment, where also object privileges can be written up, but it seems I would have to run deployment each time whenever I need to create a new role. And I would like to create these roles right from the SQL console. Is it possible? And if yes, how to do it?
By running the CREATE ROLE and GRANT commands in the SQL console you create catalog/runtime roles.
These cannot be transported to any other container or DB but only live in this very instance of the database.
Now, that is usually not what you want to have when dealing with HDI containers or containerized applications in general.
Creating schema objects on the fly commonly leads to operational challenges (who has access to what, where, when, why, how?) and should rather be avoided.
But, sure, you can simply connect to the container with any user that has appropriate permissions and run those commands. That includes the usual GRANT SELECT on <table_name> TO <role>; it doesn't have to be the whole schema.
When I scan my database, it shows one of the result like VA1143 'dbo' user should not be used for normal service operation in A Vulnerability Assessment scan
They have suggested to "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions."
I have browse regarding the same to all form but cannot get the correct suggestion yet. Could you please suggested your idea or where i have to create the user and grand the permission. Since we have only one schema structure in our DB.
About "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.", the first thing you should know is the Database-Level Roles.
Create users with low privileges means that the use does not have the alter database permission.
When we create the user for the database, we need to grant the roles to it to control it's permission to the database.
For example, bellow the the code which create a read-only user for SQL database:
--Create login in master DB
USE master
CREATE LOGIN reader WITH PASSWORD = '<enterStrongPasswordHere>';
--create user in user DB
USE Mydatabase
CREATE USER reader FOR LOGIN reader;
GO
--set the user reader as readonly user
EXEC sp_addrolemember 'db_datareader', 'reader';
For more details, please reference:
Authorizing database access to authenticated users to SQL Database
and Azure Synapse Analytics using logins and user accounts
Hope this helps.
When designing and building databases, one the principal mechanisms for security must be the "least privilege principal". This means that you only give permissions that are absolutely necessary. No application should need to be the database owner in order to operate. This role should be highly restricted to only administration types. Instead, you create a more limited role for the application. It can include access to every single table, all the procedures, but it won't be able to do things like, for example, drop the database.
This is step one to a defense in depth of your system in order to properly and appropriately secure it. It helps with all levels of security issues from simple access to SQL Injection. That's why it's included as part of the vulnerability assessment. It's a real vulnerability.
Yes resolved the issue after creating the least privilege role and assigned to the user. But its leading to different below vulnerable issue's for the newly added user with least privilege role. Any lead will be helpful on this
1.VA2130 Track all users with access to the database
2. VA2109 - Minimal set of principals should be members of fixed low impact database roles
I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
I am using TOAD for Oracle and connecting to an 11g database. I have a user who has the create role system privilage designated by a role association, however when I run the statement:
create role myNewRole;
I get the error:
ora-01031 insufficient privileges
I don't understand what the issue is here because I've done this before a bunch of times and never had problems. I couldn't find any similar issues relating to the create role statement via google or stack.
Anyone have any ideas of what is going on here?
Problem was solved by looking at the role association against the user. It turns out that it was not set as a default role so the solution was one of two:
Set the role as a default one with alter user <username> default role <role_list>;
Set the role as active in the session using SET ROLE <role>;
Of course if your role has security then you will have to use identified by <password> after the <role>.
Doco for SET ROLE and Doco for Default Role
My understanding of the problem is that Oracle can have cases where you want a role associated with a user however you don't want it active by default so you must explicitly enable it during a session to use it which is extra protection for your database. When a role is set as a default role then it is active every time you log on since the privilages from the role are expected to be used more often and/or not have a large impact(negative) on the database.
Thanks for your comment #ChrisFarmer because it led me in the direction of the answer I was looking for once I realised the sys privilage wasn't in my session.
It explains why a user who I granted DBA role received ORA-01031 when try to change password for another user. On the session he needs to SET ROLE ;
I have a database called ADB.
When I create a new user/role, that user cannot, by default SEE ADB and query against the tables in it.
How can I change that default?
Depending on how you create roles, it may be that your database does not give access rights to the 'public' role (which by default is what new roles belong to). You could grant all rights on the database to public, or make the new role a sub-role of whatever role does have access rights to it.