I would like to make the user console available to our users, but I cannot do to if I can't set permissions on individual data sources. That is to say, user A would only have access to use data source A, and user B would only have access to use data source B.
Is it possible to restrict a user or role to a subset of defined datasources?
try this for every datasource: http://mondrian.pentaho.com/documentation/schema.php#Access_control
Make sure the Mondrian One-To-One UserRoleMapper is uncommented in the /pentaho-solutions/system/pentahoObjects.spring.xml file.
It will look like this:
https://help.pentaho.com/Documentation/5.1/0N0/020/080/010/000
Related
I'm trying to mask sensitive data via an Azure SQL database.
The data is saved as normal text and one column as XML and another saved as json.
I've tried adding rules to the database but when I open SSMS and run a select statement it does not apply to any of the data in the columns (normal text, xml or json saved data)
There's no user excluded to see unmasked data.
Just want to understand why the data is not masked when I perform a select on SSMS.
My rules look like the below:
XML Rule
JSON Rule:
Text Rule:
My SQL statment:
SELECT TOP (1000) * from database_Name
As mentioned in Microsoft Document it says,
The identities in Azure Active Directory (Azure AD) or SQL are included in the masking process and should have access to the unmasked sensitive data.
Maybe you are accessing data as SQL admin or Azure AD user because of that you can see sensitive data.
By hiding important information from unwanted users at multiple layers of the database, you may prevent access and gain control. You may give or remove UNMASK permission to a user.
The code taken from Microsoft-documentation it says,
Give UNMASK permission to user
GRANT UNMASK ON Data.Membership TO USER;
To Query the data under the context of user
EXECUTE AS USER='USER';
To revoke UNMASK permissions
REVOKE UNMASK ON Data.Membership FROM USER;
Data after granting permission to user
Data after removing permission from user
Taken Reference from:
SQL Database dynamic data masking with the Azure portal
Granting and Revoking the Permission
What privileges can I grant to let everyone in the world query my information schema? i.e. I want everyone to be able to run:
select * from `projectid`.INFORMATION_SCHEMA.SCHEMATA
Currently I get back:
Access Denied: Table projectid:INFORMATION_SCHEMA.SCHEMATA: User does not have permission to query table projectid:INFORMATION_SCHEMA.SCHEMATA
Usually in BigQuery you set permissions at the dataset level. For example, this query will run for anyone, as the dataset is public for everyone:
SELECT *
FROM `fh-bigquery.flights.INFORMATION_SCHEMA.TABLES`
But you can't do this:
SELECT *
FROM `fh-bigquery.INFORMATION_SCHEMA.SCHEMATA`
This because you need project level permissions to see all my datasets, even the ones I haven't made public.
If you really want to share the schemas of all your datasets with the world, then you could create a custom role just for this, with the bigquery.datasets.get permission:
https://console.cloud.google.com/iam-admin/roles
Then you need to assign this role to all users - but that's not an option.
At the project level, you can assign this role to one of these:
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
G Suite domain: example.com
One option in this case:
Create a Google Group.
Give this new role to this new Google Group.
Make this Google Group free to join.
Tell people "hey, if you want to see my project SCHEMATA, join this group".
Then all will work.
We have Big-Query on project PRJ-A with 30 datasets
Question:
1/ If we have another project (ex: PRJ-B). How can we grant view permission on PRJ-A for all users on PRJ-B ? (it means: user_01 on PRJ-B can select "dataset" of PRJ-A)
2/ If we have a group user (ten users) and they have not VISA and we do not want to add them to our PRJ-A (because they can view our information about instance,app,configurations ... )
How can we grant view permission for them ? (may be we can use a global user for ten users)
Until now, we intend to use "bq command" to solve : install gcloud sdk tool on server A, after that, grant privileges to ten users can use bq command.
For #1, there is no way to reference all users of Project A in ACL for project B. So, your best options I see : domain or userByEmail or groupByEmail depends on your specifics
If you would need to reference Users of the same project - specialGroup would be your choice
https://cloud.google.com/bigquery/docs/reference/v2/datasets#resource
For #2
I think, groupByEmail (An email address of a Google Group to grant access to.) is your option
I've never touched PervasiveSql before and now I have a bunch of .ddf and .Btr files. I read that all I had to do was create a new database in the control center and point to the folder that contains these files.
When I do this and look at the database there is nothing in it. Since I am new to Pervasive, I'm more than likely sure that I'm doing something wrong.
EDIT: Added a screen shot after running command prompt
To create a database name in the PCC, you need to connect to the engine then right click the engine name and select New then Database. Once you do that, the following dialog should be displayed:
Enter the database name, and path. The path being where the DDFs are located. In most cases the default options are sufficient.
A longer process is documented at http://docs.pervasive.com/products/database/psqlv11/wwhelp/wwhimpl/js/html/wwhelp.htm#href=uguide/using.02.5.html.
If you pointed to a directory that had DDF files (FILE.DDF, FIELD.DDF,and INDEX.DDF) when you created the database name, you should see tables listed.
If you pointed to a directory that does not have DDF files, the database will still be created but will have no tables defined. You'll either need to get DDFs from the vendor or create the table entries using CREATE TABLE (with IN DICTIONARY clauses) or use DDF BUilder to add table entries.
Based on your screen shot, you only have 10 records in FILE.DDF. This is not enough. There are minimum system tables required (X$FILE, X$FIELD, X$INDEX, and a few others). It appears your DDFs are not a valid set. Contact the client / vendor that provided the DDFs and ask for a set that include all of the table definitions.
Once you have tables listed in your Database Name, you can use ODBC to access the data.
I need to give a 'Active Directory User Group' read access to a tabular model database. I am not able to find the group when searched, to add it to a role.
As mentioned here for a database instance, adding the group to 'Logins' in 'Security' Folder is the first step. But 'Security' folder is not there in case of tabular model as shown in screen shot below. First one out of 3 is Tabular Model instance:
(source: sqlmusings.com)
I am admin for the server if that would be required. How to give 'Active Directory User Group' read access to a tabular model?
First, there must be a role defined in the Tabular model. Then you add the active directory group to the list of members. If the model was developed/deployed from a system that doesn't have access to the domain, then the group will have to be added after the fact. This can be done via SSMS...
Navigate to the roles folder:
<SSAS Tabular Instance> | Databases | <tabular model> | Roles
Right-click the role to which you want to add the active directory
group
Select the Membership page
Click Add
...at this point, make sure the correct objects are selected (users, groups, etc), and locations (network, domains, etc)...this window is pretty standard in windows apps.