I just came across the concept of SYNONYM in a database. By reading this: http://msdn.microsoft.com/en-us/library/ms187552.aspx
and this What is the use of SYNONYM in SQL Server 2008? I figure out the purposse of synonym.
however, I still don't understand a little step in real process of creating a synonym for a remote table. I have search the web, but generally the instruction mainly focus on SQL syntax(for example this one:http://www.oninit.com/manual/informix/english/docs/dbdk/is40/sqls/02cr_prc8.html). And I find none of the guidance mention the authentication part when creating a synonym for remote table. I guess a database can't just let anyone make a synonym then get the access to its tables?
so I curious how the target remote table's database can know if the synonym reference accessing its table is legal?
The answer to your question is going to depend a lot on what database platform you are using to contain the synonym; in your question, you referenced documentation from at least two (SQL Server and Informix). I don't know much about Informix, but I'm going to assume that it's security model is different than SQL Server.
For SQL Server, the remote server must be set up as a linked server first (assuming that you are using a remote object). See http://technet.microsoft.com/en-us/library/ms188279.aspx for details on how to do that.
From CREATE SYNONYM:
You do not need permission on the base object to successfully compile the CREATE SYNONYM statement, because all permission checking on the base object is deferred until run time.
That is, there's no security issues around synonyms, because the permissions checks take place when the synonym is used, and the permission checks are based on the real object, not the synonym.
Related
I'm trying to create a link between MS Access and a remote Informix db.
The Access db will be used for generating reports/views etc with the data from the linked Informix db.
I have setup a DSN for the Informix DB and can connect to it.
Using the MS Access 2016 GUI I can select to create a link via the external data tab. However, I need to make sure that this is a read only link. It is imperative that any changes made (either on purpose or accident) in the linked access db do not filter back.
One option I have considered was contacting the Informix DBA to make sure my account is read only. Unfortunately, this is not possible, so I wonder if there is some other approach I can take?
Informix ODBC doesn't support SQL_ACCESS_MODE and as far as I know, there is no option that would make a 'read-only' connection.
You can ask our DBA to create a view on the table and restrict access on just that view (e.g. only have the 'SELECT' permission on it). Then use that view as the source for your linked table.
A second option would be to not have a linked table, just import the data from the source.
There are several things you can do to create a read-only connection.
The most secure way, in general, is to create a user that only has read access, and use that user for your DSN (also fixes the issue that DSN information is publicly available in Access and might be reused.
Another way is to set SQL_ACCESS_MODE to 1 (=SQL_MODE_READ_ONLY) in your DSN file, which creates a read-only connection on supported databases. However, a tech-savvy user can just change that value, so this doesn't add the security the first way provides.
Best safest solution is for the Informix DBA to create a new user for your Access front end with GRANT SELECT permissions only for the tables your application will be querying.
When I removed my app from the Bluemix dashboard, it removed the associated SQL db as well. I have a script that creates new tables/indexes with our schema name but the free version of SQL database does not support user-defined schema names. The problem is in our code, we need to have our schema name rather than user*** schema name.
Does Bluemix still offer small version of SQL database ? If not, is there a way to recover our database, or is there a way I can rename the user*** schema created by the free version to the name I want?
Unfortunately it is not possible to use a user defined schema name. Anyway as a general rule in development, properties like schema name or connection properties should be parametric, in order to have more flexibility in your solution.
What is preventing to have your SQL to be adapted to the new db instance? You could have a simple script which load it and run on the instance, without any need to use an hardcoded schema name
SQL Server ....
I have long been under the assumption that granting stored procedure exec to a principal means that the SP can do whatever it needs to do and optionallly return a result.
I am developing currently on a 2012 database. I created a SP and granted exec to a SQL login.
The user got error messages.
I also had to grant rights on a table and a function that I use inside the SP.
My world view also held that views and functions did NOT transfer rights in this way.
Has something changed? Have I just operated under a false pretense all this time?
I have googled for an answer, but cant seem to find an article that discusses this topic.
Any thoughts?
Thanks
Greg
Databaes chaining is the concept that addresses these type issues.
In 2005 forward, the notion of owner of an object became the notion of the schema that holds the object.
In my particular case, the stored procudure is in one schema , the function in another, and the table in yet another schema. Hence the need for these multiple grants.
I have never really used schemas before this assignment. Thats just how they do things here, and thats ok. Hence, my surprise at this behaviour.
Greg
I've set up multiple views in a sql server database. These views are are selected from in a stored procedure which has WITH EXECUTE AS 'proxyuser' clause in it's declaration. The select statement it executes is created dynamically, and executed with the sp_executesql stored procedure. Everything has worked correctly until it became necessary to include a join to a table in a different database in the definition of one of those views, so that the view is selecting from both the database where it resides and another database on the same server.
The error I'm getting is this: The server principal "proxyuser" is not able to access the database "mydb" under the current security context.
This is what I've tried:
Deleting the proxyuser from the second database and mapping the login to the database as recommended here..
http://sqlmusings.wordpress.com/2008/06/12/issue-server-principal-is-not-able-to-access-the-database-under-the-current-security-context/
Enabling cross database ownership chaining as recommended here..
http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/07dcab8c-b830-4ca9-8afc-3e75772f44d3/
and my scenario doesn't meet the requirements outlined by Microsoft Support Article #913422, which describes the same error message. The proxy uses Sql Server Authentication, not Windows Authentication.
Any ideas?
Thanks in advance.
I'm finally coming back to this after a long side-track working on a different project. I worked it out so that I'm no longer using the WITH EXECUTE AS 'proxyuser' syntax. The user I was connecting with had sufficient permissions to perform the action. I'm not sure why I didn't try that before.
Am querying a remote database using DBLink. Now am wondering to speed up the query, how can i add indexes to few columns in the remote table.
Would appreciate if anyone can provide any recommendations around the same.
You could use DBMS_JOB or DBMS_SCHEDULER packages on the remote database to schedule a job, executing DDL.
But consider this, if Oracle throws an exception for DDL over databse links, there must be a good reason for it, right? You don't want anyone messing with your schema remotely over a database link. So instead, talk to the remote DBA and try to figure out solutions with him/her.
it can't be done over the dblink (even if your dblink is using the owning schema) you will see
ORA-02021: DDL operations are not allowed on a remote database
You could create a Materialized View in the remote database based in your query, add your prefered indexes to it, and then, if you need it, create a synonym for that materialized view.
John,
A good place to start would be the following Oracle documentation on "Tuning Distributed Queries".
http://download.oracle.com/docs/cd/B28359_01/server.111/b28310/ds_appdev004.htm
you could create the indexes in the remote database and build up your query in a view form (in the remote database of course).
that way the remote database will complete the query using all the methods he got (like indexes) and bring you back only the wanted resultes.