I have a database on SQL Server 2008 R2 that has two schemas, the default dbo and another one called Webapps, and both schemas are owned by dbo.
I created a view in the Webapps schema (Webapps.getInventory) that just does a simple select from dbo.Inventory. Then I created a user called Webuser that has SELECT permission to the Webapps schema.
Webuser can login and see the Webapps.getInventory view, but when it tries to select from it this error comes up:
The SELECT permission was denied on the object 'Inventory', database 'Database', schema 'dbo'.
I was thinking that since both schemas are owned by dbo, ownership chaining would allow the query to execute. The only way I seem to be able to get it to work is give Webuser permissions on dbo, or add it to the db_datareader role for the whole database. To me that seems to defeat the purpose of trying to separate things out into the Webapps schema if the user has to have read ability to everything else in the database.
So, am I overlooking something in my setup? Or is it correct that Webuser must have permission on both schemas in order for this view to work?
Eric I think you are "jumping" over a step in the ownership chain...
Have (another) look at this article: Ownership Chains Here is a snippet "Ownership chaining enables managing access to multiple objects, such as multiple tables, by setting permissions on one object, such as a view."
The chaining doesn't care that both schemas are owned by dbo, but rather that each login/user has appropriate permissions on object. So if you have a table owned by dbo that is included in a view where you have given select access to the webapps schema, then the users with access should have access to the table. The ownership chain isn't checked deeper than the fact that they can select against the view, no need to evaluate if they can select against the table.
So long story short, if you wrap the dbo.table in a view where webapps has select permissions then you should be good.
Hope that helps...
Another reason that cross-schema ownership chaining may break is if the schema owners were recently changed, e.g. setting them to the same owner specifically in order to use ownership chaining. You may need to drop and recreate the views (and add the permissions back) before it will work.
SQL Server caches various properties of views, and I saw a case where this caching appeared to be causing SQL Server to not realize that an object accessed by the view actually did have the same owner at that point. It gave a "permission denied" error on the object accessed by the view. Dropping and recreating the view fixed the problem. Rebooting the database server might have also fixed it, but that was not an option at the time.
SQL Server also allows individual objects to have specific owners different from the schema owner, and I confirmed that neither the view nor the accessed object had a separate owner set. I saw this in SQL Server 2012. Not sure if it's been fixed in newer versions.
Related
I'm running a SAP HANA database in HDI container and created a corresponding HDI Container admin. I would like to be able to grant users (for support purpose) access not to the whole schema, but only to a few selected tables. How to do it? All examples I found online look like this - and grant access only to a whole schema
CREATE ROLE SCHEMA_NAME.ROLE_NAME NO GRANT TO CREATOR;
GRANT SELECT ON SCHEMA SCHEMA_NAME TO ROLE_NAME;
I know there is an option to use .hdbrole file during deployment, where also object privileges can be written up, but it seems I would have to run deployment each time whenever I need to create a new role. And I would like to create these roles right from the SQL console. Is it possible? And if yes, how to do it?
By running the CREATE ROLE and GRANT commands in the SQL console you create catalog/runtime roles.
These cannot be transported to any other container or DB but only live in this very instance of the database.
Now, that is usually not what you want to have when dealing with HDI containers or containerized applications in general.
Creating schema objects on the fly commonly leads to operational challenges (who has access to what, where, when, why, how?) and should rather be avoided.
But, sure, you can simply connect to the container with any user that has appropriate permissions and run those commands. That includes the usual GRANT SELECT on <table_name> TO <role>; it doesn't have to be the whole schema.
Microsoft's docs on schema ownership don't go beyond saying "Schemas can be owned by any database principal, and a single principal can own multiple schemas." (MSDN doc)
I get that schemas are a way of containing different security permissions, but what is the purpose of assigning an owner to a schema and what special privileges does that user who owns the schema receive as opposed to simply being a member of the schema?
An owner of a schema is like the sysadmin within that schema, can create , drop, select , update, delete , alter objects, give permissions to other users , revoker permissions of other users and pretty much everything .
On the other hand a user with in a schema can only do the operations according to what database role was given to them , for example will be assigned these permission as Permission to create objects, db_datareader can only issue select statements against tables, db_datawriter can do inserts/updates and the list goes on.
You dont want every user who has access to database to do all sorts of operations, some people will have less access some will requires more access, hence the different roles to suit user specific needs.
Ownership of schema has it roots with the problem we had in past before sql server 2005 when there were no schemas and objects were owned by users. To separate users from objects schemas were introduced and the concept of "Schema Ownership" was introduced, it is just another way of saying that this user has all the permissions in a schema.
Hello and thank you for your time,
I am using sql 2008
I created a db that has nothing of relevance in. Here I want to add views that access other databases. I will then add a user to the db with no relevance and give access to the view.
My obvious problem is that when the user tries to run the view, errors occur where they do not have permission to view the information. (when I use the admin type user, i can access the view and see the results no problem)
Can I create permissions to the view to all SELECT on the two seperate db's so the user can see the results. Or does the user require the read permissions on all the tables queried.
Thank you again.
This is what I tried (and many others but it did not work)
USE no-relevance-server
GRANT REFERENCES ON OBJECT[important-server::dbo.table] TO [the view]
Your issue here is one of cross database ownership chains
You can make it work by following the instructions at http://support.microsoft.com/kb/810474
EXEC sp_configure 'Cross DB Ownership Chaining', '1'; RECONFIGURE
EXEC sp_dboption 'YourDatabase', 'db chaining', 'true'
But be sure to read up about Cross Database Ownership Chaining and the associated risks.
http://msdn.microsoft.com/en-us/library/ms188676.aspx
I am new to schema, roles and user management part in sql server. Till now I used to work with simple dbo schema but now after reading few articles I am intrested in creating schema for managing my tables in a folder fashion.
At present, I want to create a schema where i want to keep my tables that have same kind of functionality. When I tries to create a schema then I faces a problem while using query, permissions etc.
First of all i want to get used to of using schemas then only I want to explore it. But due to initial stages and work pressure as well i m not able to implement it yet.
What can i do to start using schema with default permissions as that of dbo.
Also let me know about creating roles and assigning roles on these schema. I want all this to be accessible by sa user itself at present.
What is the concept behind all these things
Basically
The schema has an owner
Objects in different schemas can access each other with no extra permissions if they have the same owner
Please see my question here: "SQL Server: How to permission schemas?" and RBarryYoung's enlightening answer...
How can create a New user in ORACLE with full access (alter, delete, select, inset, debug, etc) to an only one specific SCHEMA.
Cannot be done. In Oracle privileges are granted on specific objects, unless you have the highpowered ANY privileges, which grant access to any object in any schema.
This is one of those things which seems quite annoying but actually is quite sound. There is no good business reason for granting privileges on all on the objects in a schema en masse. Either
the second schema really needs just a sub-set of privilges on a sub-set of objects; or
the second schema is entirely unnecessary.
Now it may be that the sub-set in the first instance is a very large sub-set. But laziness is not an excuse for poor security practices.
What we can do is generate the grant statements from the data dictionary:
select 'grant select on '||table_name||' to B'
from user_tables
/
(for a script to be run by user A).
This is still better than granting privileges on the schema, because it means at least any new object added by user A will not automatically be propagated to B without an additional action and, hence, without some additional thought as to whether it is appropriate.
You could use a PROXY user. Its not quite the same thing as it allows one database user to connect as another but using their own password.
You can therefore have multiple users, each with their own password, using the same schema.
An example of the code is here.