I'm new to SQL and programming so I apologize if this isn't clearly worded.
I have the following code to create a user and role. I want user1 to be able to select and view table1.
When I run this code user1 isn't able to select table1 and I get the error that the table does not exist.
When prompted with the Database Entry screen I input user and password.
When prompted with the statement "Enter TNS_ADMIN entry or blank for Current Worksheet Database:" I don't input anything.
USER1 is able to connect, but not view the table. Under "other users" in the connection I see USER1 but none of the tables I've established are listed.
Thanks!
CREATE USER user1
IDENTIFIED BY user1
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
ACCOUNT UNLOCK;
CREATE ROLE ReadOnly;
GRANT SELECT ON table1 to ReadOnly;
--GRANT SELECT ON table2 to ReadOnly;
--GRANT SELECT ON table3 to ReadOnly;
GRANT CONNECT to user1;
GRANT ReadOnly to user1;
grant create session to user1;
connect user1
show user
select * from table1
Assuming that table1 is not owned by user1, you have three options
You can use the full name of the table in your query
SELECT * FROM <<schema name>>.table1
You can create a synonym for table1. A private synonym in the user1 schema would generally be preferred but a public synonym would also work. As user1
CREATE SYNONYM table1 FOR <<schema name>>.table1
SELECT * FROM table1;
Or you can change the default schema (for name resolution purposes, this has no impact on privileges)
ALTER SESSION SET current_schema=<<schema that owns table1>>
SELECT * FROM table1;
Related
We have a azure based SQL Server instance that we are wanting to create a user who would only have SELECT access to two tables on a database that has many more tables. Is this possible? If so is there a guide I can follow to accomplish this?
Restrict user to certain tables in SQL
You can use the SQL GRANT statement to grant SQL SELECT, and other privileges on tables.
CREATE USER demouser
WITH PASSWORD = 'demopa#ssword1234';
GRANT SELECT ON dbo.student TO demouser
GRANT SELECT ON dbo.Airlines TO demouser
execute as user = 'demouser'
select * from student
select * from Airlines
REVERT;
Execution
Granted SELECT permission to user demouser on Airlines and student table.
demouser user has no access to mydata table
As you can see in picture I am connecting to my database as SYS with the SYSDBA below
The filtered tables shown in the picture 2 seems are system tables, right, as all tables names are ended with $?
I am wondering why SYS does not have permission to view the tables we created e.g filetable (as shown in the picture above). Is it because this ID does not have permission to select all tables? If yes, how can I allow the ID have permission to view all tables, including filetable?
Does this SYS account have FULL privileges in the database or not? I tried to use the below command to grant privileges to user but that didn't work, getting the error shown:
SQL> grant SELECT on filetable to user
grant SELECT on filetable to user
*
ERROR at line 1:
ORA-00942: table or view does not exist
What I need to do is create a user and grant select permission on all tables to this user.
What I need to do ?
Simple run
select owner, table_name from dba_tables where table_name= 'FILETABLE';
or fallback to query below if it is not a table, but a view or a materialized view
select owner, object_name, object_type from dba_objects where object_name= 'FILETABLE';
than take what you see in the column owner and query with (substitue [owner] with the owner you see) - if the query above return no rows the object does not exists.
select * from [owner].FILETABLE
I have created a table 'T' under user 'SYS'. Now I want to view the contents of the same table 'T' under another user 'JACH'. I have granted the select privileges' on table 'T' to user 'JACH'. But when I try to view the table under 'JACH', it says table doesn't exist. How do I view the table data under user 'JACH'?[Logged in as user 'SYS']
[Logged in as user 'JACH']
You need to schema qualify your select statement.
If a table is created under SCHEMA1 and you wish to query it while connected to SCHEMA2, assuming that SCHEMA2 has been granted SELECT/READ privileges properly, you should be able to query the table while connected to SCHEMA2 like this:
SELECT * FROM SCHEMA1.TABLE_NAME;
I'm creating a table with a superuser (admin), and trying to GRANT ALL and change the owner of a table.
I'm running the following statements in Redshift, where (non-superuser) john is a member of the developers group (and only a member of the developers group):
GRANT ALL ON users.addresses TO GROUP developers;
ALTER TABLE users.addresses OWNER TO john;
I've confirmed that user john has select/insert/delete/update permissions on users.addresses, and is the owner of the table. I've also confirmed that user john has USAGE on the users schema.
However, when I log in as john, the table simply does not appear. When I try a SELECT * FROM users.addresses, Redshift says that the table does not exist.
What am I missing here? Is there an extra layer of permissions or security in Redshift that I'm not seeing? I've looked through the documentation, but haven't had much luck so far.
Because Redshift is saying that the table doesn't exist, that points towards the CREATE TABLE not being committed to the database when you're running it as a superuser account. If you disconnect as the superuser account and then reconnect and attempt to run the SELECT statement against the table, do you get the same error?
Try running an explicit COMMIT statement after you create the table, and then attempt querying it using the non-superuser account. If the client you are using is wrapping all query executions inside of a transaction block, it is possible that they aren't being committed prior to you connecting with the non-superuser account.
Also for reference, I ran the following queries with auto-commit enabled and was unable to replicate the issue you're describing:
-- Run as superuser account:
CREATE SCHEMA users;
CREATE TABLE users.addresses (
user_id VARCHAR(8) ,
user_address VARCHAR(512)
);
INSERT INTO users.addresses VALUES ('12345678', 'Address 1');
CREATE USER john WITH PASSWORD '********';
CREATE GROUP developers;
GRANT USAGE ON SCHEMA users TO GROUP developers;
ALTER GROUP developers ADD USER john;
GRANT ALL ON users.addresses TO GROUP developers;
ALTER TABLE users.addresses OWNER TO john;
-- Run as non-superuser account 'john':
SELECT *
FROM users.addresses;
-- Result Set:
-- user_id user_address
-- 12345678 Address 1
The users listed in the DBA_USERS table do not match the grantees listed in the DBA_TAB_PRIVS table.
So how to I get the privileges for users that are only listed in the DBA_USERS table?
For example, if I do
SELECT USERNAME FROM DBA_USERS;
Then I get a list of login names, such as
USERNAME
--------
BOB17
DBA
JANET5
STEVE34
SYSTEM
And now I want to know what roles and privileges the 'STEVE34' user has.
But when I run the queries suggested online:
SELECT * FROM DBA_SYS_PRIVS;
SELECT * FROM DBA_TAB_PRIVS;
SELECT * FROM DBA_ROLE_PRIVS;
The "Grantee" column does not contain 'BOB17', 'JANET5', 'STEVE34', instead it contains 'SYSTEM', 'PUBLIC', and 'DBA'.
So if 'STEVE34' is not in the Grantee column of any of the PRIVS tables, how do I find out what privileges the user 'STEVE34' has?
The question How to find the privileges and roles granted to a user in Oracle? has 8 answers, none of which solve this question.
I need to know what permissions and roles the users listed in DBA_USERS have, and those users are NOT found in the suggested tables from the linked question.
Further clarification:
If I run this query:
Select USERNAME, GRANTEE from dba_users u
LEFT JOIN dba_tab_privs p
ON u.USERNAME = p.GRANTEE
order by username
This is the result:
USERNAME GRANTEE
-------- -------
BOB17 (null)
DBA DBA
DBA DBA
DBA DBA
DBA DBA
JANET5 (null)
STEVE34 (null)
SYSTEM SYSTEM
SYSTEM SYSTEM
SYSTEM SYSTEM
How can I determine the privileges for users that are not in the DBA_TAB_PRIVS table?
I am absolutely certain that the users do exist and have some kind of privileges, I watched them log in and watched them successfully do SELECT queries.
I may be going on a limb here, but I could not help but notice the sample list of users is in lower case. If you copied and pasted the list (as opposed to incidentally typing the names in lower-case) it means those users were created using double quotes. You can only find them in any Oracle dictionary view (such as dba_users, dba_tab_privs, dba_sys_privs, dba_role_privs) if you take into account that fact. Double quoted lower case is different from non-quoted username.
Whenever a grant, revoke, create table or any other DDL must be run against the lower-case double-quoted "steve34", it needs to be double quoted or Oracle will run it against the unquoted version case-insensitive STEVE34.
Same applies to where clause in SQL on dictionary views. Double-quoted "steve34" becomes case sensitive.
Note in the example below I can create 2 users with apparently the same name, but which are different Oracle users.
FSITJA#db01> create user "steve34" identified by 123;
User created.
FSITJA#db01> create user steve34 identified by 123;
User created.
FSITJA#db01> grant create session to steve34;
Grant succeeded.
FSITJA#db01> select username from dba_users u where upper(u.username) = 'STEVE34';
USERNAME
------------------------------
steve34
STEVE34
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'STEVE34';
GRANTEE PRIVILEGE ADM COM
------- ---------------------------------------- --- ---
STEVE34 CREATE SESSION NO NO
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'steve34';
no rows selected
FSITJA#dbd01 2019-07-31 17:18:00> grant create session to "steve34" with admin option;
Grant succeeded.
FSITJA#db01> select * from dba_sys_privs sp where sp.grantee = 'steve34';
GRANTEE PRIVILEGE ADM COM
------- ---------------------------------------- --- ---
steve34 CREATE SESSION YES NO