Default permissions for new objects in the schema - permissions

I'm working on a DB2 for i database (aka DB2/400), on a schema (library) named S.
Inside schema S, I create database tables, procedures etc. with user A. I need that also user B has all privileges on such new objects. So I granted all privileges to users A and B on schema S. But new objects don't inherit them!
So I tried many configurations: on System i Navigator I played with authorization lists, "New Objects" button on permissions dialog for schema S... but nothing worked.
How can I set kind of default permissions to be automatically inherited by new objects created in my schema?
The only working alternative I know is remembering to grant privileges to user B every time I create an object. Not so smart...

Security is a large topic. It's normally handled by an administrator; someone who is aware of the larger ramifications of altering permissions to libraries.
There are several related settings to consider. Since you're trying to secure individual objects, you probably have restricted public authority either by setting QSECURITY to *EXCLUDE, or changing the library's CRTAUT to *EXCLUDE.
If we want ALL newly created objects in this library to have the same authority, consider an authorization list. I know that you said you played wuth authorization lists, but you didn't specify what you did.
Create an authorization list. Authorise user A and B to the authorization list. CHGLIB myschema CRTAUT(myautl). Now each object in myschema will have the same authority.

I have IBM i 7.1.
If I create table using 5250 emulator, inside STRSQL, it works, inheriting schema authorization list.
If I create table using iSeries Navigator V5R4M0 (neither with right click on Tables > New > Table, nor with cwbundbs.exe), it doesn't work. Authorization list is not inherited...
So it seems to be a bug in iSeries Navigator. Maybe someone with a newer version of it could confirm us if this has been fixed.
Full details in the chat with #BuckCalabro.

Related

How to create a role that can access only selected tables during runtime

I'm running a SAP HANA database in HDI container and created a corresponding HDI Container admin. I would like to be able to grant users (for support purpose) access not to the whole schema, but only to a few selected tables. How to do it? All examples I found online look like this - and grant access only to a whole schema
CREATE ROLE SCHEMA_NAME.ROLE_NAME NO GRANT TO CREATOR;
GRANT SELECT ON SCHEMA SCHEMA_NAME TO ROLE_NAME;
I know there is an option to use .hdbrole file during deployment, where also object privileges can be written up, but it seems I would have to run deployment each time whenever I need to create a new role. And I would like to create these roles right from the SQL console. Is it possible? And if yes, how to do it?
By running the CREATE ROLE and GRANT commands in the SQL console you create catalog/runtime roles.
These cannot be transported to any other container or DB but only live in this very instance of the database.
Now, that is usually not what you want to have when dealing with HDI containers or containerized applications in general.
Creating schema objects on the fly commonly leads to operational challenges (who has access to what, where, when, why, how?) and should rather be avoided.
But, sure, you can simply connect to the container with any user that has appropriate permissions and run those commands. That includes the usual GRANT SELECT on <table_name> TO <role>; it doesn't have to be the whole schema.

Create user that has permission only to given database

I'm trying to create users in MarkLogic that have permissions to given databases. I read Security Guide from MarkLogic docs page and found that you can set permissions on given URIs, Collections or functions.
Permissions on collections can help me with marking given collections from database as readable only for given set of users, but still other users can create and modify documents in different collections (or create documents without collections).
For e.g.
I have two databases:
Test
Test2
And two users:
UserTest
UserTest2
How can I set permissions that UserTest will have permissions read/update/insert/execute on database Test and can't modify or read anything database Test2?
Each database can be associated with a dedicated security database. The way you describe your use case ("UserTest will have permissions read/update/insert/execute on database Test and can't modify or read anything database Test2"), you might want to consider dedicated security databases for the Test and Test2 databases.
The other way would be to use different document permissions for roles for the two databases. You can set read/update/insert/execute permissions at document level for a given role at insert time, or change them with xdmp:document-add-permissions() (retains previous permissions) or xdmp:document-set-permissions() (overrides previous permissions) after insert. For instance, you could have a role Test-Reader for database Test and a role Test2-Reader for database Test2, and ensure that (1) your UserTest user has the Test-Reader role (but not the Test2-Reader role), and (2) that all documents inserted into the Test database pair the read capability with the Test-Reader role (but not the Test2-Reader role) etc. (Same for the other capabilities.)
If controlling this explicitly sounds like a lot of work, note that default document permissions can be declared to apply implicitly both at the user and at the role level.
Finally, if you set no permissions at all during document insert (and if no implicit/default permissions are defined at user or role level), only users with the admin role can read/update/insert/execute.
Here's the relevant section for document permissions from the Understanding and Using Security Guide: https://docs.marklogic.com/guide/security/permissions#id_85471
There is no user-level specifications for a database. But keep in mind, a database is not accessible on its own - it is accessible by way of an application(s) which is linked to particular database. Unless you allow people to run eval and allow them to eval against another database, then you application will keep people within the specified database. (Note: ML8 Advanced HTTP server changes this a bit because you can switch database on-the-fly per request- but the rules about being stuck to a single database still stands).
The only other item I think is useful to you is the ability to define which URI prefixes a user can write to, but that does not negate the fact that the application level decided which DB is being accessed.

How to create schema that have an access as that of dbo and can be accessed by sa user

I am new to schema, roles and user management part in sql server. Till now I used to work with simple dbo schema but now after reading few articles I am intrested in creating schema for managing my tables in a folder fashion.
At present, I want to create a schema where i want to keep my tables that have same kind of functionality. When I tries to create a schema then I faces a problem while using query, permissions etc.
First of all i want to get used to of using schemas then only I want to explore it. But due to initial stages and work pressure as well i m not able to implement it yet.
What can i do to start using schema with default permissions as that of dbo.
Also let me know about creating roles and assigning roles on these schema. I want all this to be accessible by sa user itself at present.
What is the concept behind all these things
Basically
The schema has an owner
Objects in different schemas can access each other with no extra permissions if they have the same owner
Please see my question here: "SQL Server: How to permission schemas?" and RBarryYoung's enlightening answer...

How to switch database schema's?

I'm working on a Delphi/WIN32 application that uses an SQL Server database as back-end, using ADO to access the data. There are many users who use this application, but one user is using a special setup: they have multiple database schema's and every schema contains the complete datamodel for the application. Every schema also has a database user which defaults to the specific schema. They also have a separate login account for every database user, allowing them to control which schema to use simply by using a different login account in the connection string.
They use this setup to have a single, centralized database which supports multiple offices. Normally, every office would have it's own database but here, every office has their own schema.
I like this solution that they're using. I haven't thought about this before simply because the application is normally used by single offices. Only this customer had a need to have a centralized database. The application works just fine, even though it's unaware of these schema's, simply because the login account will default to the correct schema.
But now they've asked if it's possible to change the code in a way that the user can select the schema to which they want to connect. Thus, a user needs to be able to switch between schema's in the application. And I don't want to rewrite the code to support these schema's simply because I need to keep the SQL code database neutral. So I'm looking for a way to switch a user to another schema without much impact on the code itself.
Any suggestions?
How about changing the default schema of the user?
ALTER USER <user name>
WITH DEFAULT_SCHEMA = <desired schema>;
Of course you will need to execute this under escalated privileges as I'm sure you don't have all users with ALTER USER capabilities.

TSQL to view, add and delete permissions

I have created several new tables on a new database(Microsoft SQL server 2005). Now those tables are ready for client users to view through Access 2003 by using System DSN ODBC object (with SQL authentication). What I did was to create a Role and a schema in the database, and a login user for my SQL server default with my database and the schema name.
The problem is that clients not only can see tables I created but also system view objects in the database. I am not sure what should I do to setup a SQL login user, a schema and a role so that only my tables will be visible? Not sure why system view objects are visible to login users by default.
Another alternative way to clean up permissions I have right now. I did check some system view objects (a very long list). They all have permission with the schema I created some with public schema. Is there any way by using T-SQL script to view and then to delete permission associated with my schema for those system view objects? After that, I need to use similar scripts to add permission with my schema to the tables I created.
Well, by default, a new user will also be member of the "public" server and database role. The objects in the sys. and INFORMATION_SCHEMA schemas are visible to members of the public role.
You can either explicitly deny your own role access to those schemas, or you could remove the public role from your login user.
Marc