I have created a group in AD called 'Domain\SQL Admins', containing 3 high level employees and 2 generic usernames (with very strong passwords). This group has been added to the various SQL servers and given god rights.
My question - Is there a way to downgrade one of the generic usernames to read only on one particular server?
Example:
Desired results - within in this 'Domain\SQL Admins' group:
Domain\JDoe (sysadmin)
Domain\JSmith (sysadmin)
Domain\DJones (sysadmin)
Domain\ServerUser (sysadmin)
Domain\JobRunner (read only)
I am thinking i may need to remove the read only user and create a new group / add this user specifically to each server in question.
Thanks.
SQL 2008 R2
Since you have used AD Groups to create logins and give permission/ assigned roles. If a user is a member of a group and he/she will have all permissions/Roles assigned to that group. Even if you create a separate login for that user and take away permissions on that individual login level, that user will still have permissions since he/she is member of a group who has all the permission.
You will need to remove that user from the AD group. Create another group for read-only permission or use that user's account to create a login an give read-only permission to that user.
Related
I have created a new user in a MaxDb database. I assign a role that has access to all the tables in roleprivileges but the user can not see these tables.
The user can access the tables if I assign permissions directly to the tables in tableprivileges.
The role has access, other users have this role assigned and they see all the tables.
What can be failing?
Today I've heard of MaxDB for the first time (what an ignoramus, eh?). I'm not sure why you tagged your question with the "Oracle" tag; Google says that MaxDB <> Oracle.
Anyway: it sounds like common problems in Oracle's PL/SQL, where privileges - acquired via roles - won't work, but have to be granted directly to the user.
Saying that "other users have this role assigned and they see all the tables", are you sure that they don't have direct privileges granted as well?
Assuming this deals indeed with MaxDB, and not with Oracle:
In contrast to privileges, roles need to be activated for a user session. Assigning is not enough. It is done by command SET ROLE <role>.
A role may also be activated as default for every new session, with command:
ALTER USER <user> DEFAULT ROLE <role>.
You can also activate all roles assigned to the user, like this:
ALTER USER <user> DEFAULT ROLE ALL.
I have a group login which has the Server Role "dbcreator". Users of this login has been granted execute on "sp_delete_database_backuphistory" so that they can delete each others databases. The problem now is that it is possible for these users to delete databases created by other logins. Is there a solution for this? Can permissionĀ“s be set, so that these users ONLY can delete databases created with this login?
You can't do this directly, but you can wrap the system sp_delete_database_backuphistory into your own usp_delete_database_backuphistory
that can call sp_delete_database_backuphistory or return immediately depending on a result of the check you want to perform.
I cannot ask you in a comment what do you mean saying 'databases created by other users', first of all only login (not user) can create a database but this information (db creator) you cannot extract from any system metadata, all you can get is the current database owner and this can differ from database creator.
I mean, when you create a database you can explicitly assign other login to own the database, or you can do this later for certain purposes
I need to run queries as a "user" which is a record in a table, with permissions based on a record value of that user.
I have a database with a tUsers Table, such as:
ID Username Email Role
1 Pieman mail.com Admin
2 Cakedude mail.co.uk Receptionist
3 Muffin gh.com Other
I need to have it so only "users"/records with "Role" of "Admin" can view and edit the table, and "Receptionist" view it etc.
I know of and use GRANT for permissions, but don't know how to run a query as a user based on a table record and to have the permission only GRANTED if that users' role is "Admin"
So if I have:
USE DB1;
GRANT SELECT ON OBJECT::tUsers TO Admins;
GO
SELECT * FROM tUsers
How do I make that run as say tUser with ID 1, and the GRANT if the users' role = "Admin"
I'm sure I've seen this done before.
I'm fairly new and still learning the correct terminology, so if this is a duplicate question, or is essentially just describing an sql Function sorry.
I don't think you can grant or revoke permissions to users in your own user table. However you can of course restrict queries based on your own user table.
One solution is to do it in your application. Verifier permissions before you do anything for him/her.
Another solution is to use stored procedures which take user id as parameter and do the checking for you in a central place.
The third one is to user parameterized views where you filter out entries one user can't access.
There are other solutions but the basic idea is you need somehow check permissions instead asking dBm server to do it for you.
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
all!
I have a db with tables User and Group, which represent entities in some application. But at the same time there are database users and database groups with the same names. I need to anonymize the database. It's easy to change db tables, e.g. update User set "Name" = "John",... where Id = 100500
But what to do with db users and db groups?
My first thought was to drop user and that create a new one:
drop user John;
create user njoh identified by 'pswd' login policy "root";
But belonging to groups is lost in the approach.
Is there any kind of rename method for db users in Sybase Anywhere 11?
Also I don't know how to change last log-in time and comments for a db user.
The same problem with groups. I didn't try to 'drop groups', 'cause I don't know if there is a possibility in Sybase Anywhere 11.
Could anyone tell me the truth - does the problem have a solution?
No, there is no way to rename an existing user. You can certainly drop it and create a new user but like you said, any group memberships are lost, as are permissions granted on objects like tables and procedures.
The only way to change the last login time for a user is by logging in. You can change the comment on a user by using comment on user is '<string>'.
There is no drop group statement - a group in SQL Anywhere (versions 12 and older) is simply a user with "group authority", so to drop a group you would use revoke connect from <group name>.
Disclaimer: I work for SAP in SQL Anywhere engineering.