What minimum privileges my user needs to get metadata (name of tables, columns, procedures, etc.) from database?
I need to select from:
[database].sys.objects
[database].sys.schemas
[database].sys.extended_properties
[database].sys.sql_modules
[database].information_schema.columns
db_datareader is ok, but I need minimum privileges.
In order to let user only query metadata of objects, just give him the VIEW ANY DEFINITION permission, as described here:
http://msdn.microsoft.com/en-us/library/ms175808(v=sql.105).aspx
Related
I was using node.js to work on snowflake datawarehouse as a destination for users. I wanted to check if a user has the required permission level on the schema to create a table and write into it before adding the user to the database otherwise it should give an error saying that the user does not have the appropriate permission level. How can I achieve that programatically?
Thanks,
one way you could do is check if the role has SEELCT privilege on the table by looking into the view TABLE_PRIVILEGES in information_schema schema.
select * from information_schema.TABLE_PRIVILEGES where table_name = 'SALES_RAW'
Due to how permissions can be inherited through the role hierarchy, this isn't easy to do. Permissions aren't assigned to users in Snowflake, they are assigned to roles. You could use the table_privileges in the information schema (as Himanshu said). You'll need to ask your admin for privileges to the information_schema schema in the databsae:
You could probably use some combination of these too:
show grants to user [username]
with
show grants on schema [schema name]
The easiest way would be to have your app / script / service assume the same role as the user and see if you can select from a table in the schema or try to create a temporary table in the schema. If you receive an error code, the user doesn't have permissions!
I have created a view in Database A that looks at tables in Database B that the users in Database A do not have access to (HR Data).
Is there a way I can grant anybody calling the view in Database A permissions to see the results, without giving access to the underlying tables?
Both databases are on the same instance, SQL Server 2019
You can just
GRANT SELECT ON OBJECT::[schema].[theView] TO User1,User2
in your Database A? This way you'd just give SELECT permissions to the view itself, and not the tables.
If you have a lot of cases like this, you can also consider creating a special schema for this and do:
GRANT select ON Schema :: [DBO] TO User1
instead.
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
I'm trying to create a role to give a few users permission to create and alter views, procedures and tables.
I don't want these users to be able to select from/update/delete/alter etc. any table in the database, there are tables we want to keep control of - but they should have full permissions on any objects they create.
I've given the users permissions to create views etc. and that works fine, but they can't then select from views they then create. Is it possible to do this?
-- ADDED 25/july/2013
Example:
An example user Mike has specific permissions granted on a handful of tables. All Grant, no Deny.
No other database level permissions beyond "connect"
Plus is a member of public (not altered - no denys), plus 3 other roles we have set up
Role: Standard_Reader
Specific Select permissions on a number of tables. All Grant, no Deny.
No other database level permissions
Role: SensitiveDemographicsReader
Specific Select permissions on sensitive tables. All Grant, no Deny
Role: Analyst
No Specific securables
Database level permissions:
Create Function
Create Procedure
Create Table
Create View
This user can create a table or view, but once created, can't select from it.
Is it possible to set up SQL server so that whenever a user user creates a table or view they then have permissions to select from it (assuming they have permissions on underlying tables in view)
-- EDIT
After some investigation it has become apparent that for some reason in our database, ownership of objects is not acruing to their creators.
Found using this code
select so.name, su.name, so.crdate from sysobjects so join sysusers su on so.uid = su.uid
order by so.crdate
All owners, with a couple of exceptions are DBO.
I can't understand why ownership is not passing to the creators of objects. Any idea what could cause this?
Sounds like what you're using to deny them in the first place is overriding the default settings. Can you post more information on what permissions the users have?
Can't comment :(
I would comment but lack privileges; have you taken a look at MySQL table permissions? It's a rather good system.
you need to grant SELECT on the schema to user/group:
GRANT SELECT ON SCHEMA::dbo TO User/Group;
In SQL Server 2005, a user-defined database role can "own" a schema. You can see this in the properties window of the database role. What exactly does this mean in terms of permissions/privileges against the tables in that schema? What does owning a schema mean?
Or, to ask another way: If I want a particular user-defined database role to have select/insert/update/delete privileges against every table in a schema, what is the best/smartest way to accomplish this?
I could go into the permissions of every individual table in the schema and grant the privs to the role, but this seems dumb. How do I do it for the whole schema?
thanks
aj
"Own" means "has full access" or "can do anything."
If that is what you want, just make the group the schema owner.
Otherwise, grant schema-wide permissions to this group. You can grant select permission for the schema, and members of the group will be able to select from all tables in the schema, and so on.
See GRANT Schema Permissions for more info.
MSDN Documentation: db_owner
Making them members of the db_owner group for that a particular database will essentially do what you require - of course they have a few extra permissions - such as drop a database.
You could create a new user group/schema, of course as you pointed out you need to set appropriate permissions: SQL Server 2005 Permissions