I have created a SQL userid, role, and schema in a SQL 2005 database. I have created a SQL View under this schema that selects from a table in the dbo schema. However, I don't want the SQL user to be able to select from this table.
For example:
CREATE VIEW [MySchema].[vwMyView]
AS
SELECT
*
FROM
dbo.MyTable
The user has access to the MySchema view and can query vwMyView with no problems. However, they can also SELECT from dbo.MyTable.
How do I restrict all access to dbo.MyTable? If I deny the SELECT permission on the dbo schema, the user cannot select from the view.
REVOKE select
ON tablename
FROM {user_name}
just revoking select doesn't in itself doesn't revoke other permissions.
Then do an explicit grant select on the view. Not sure if this will work as I have never tried it this way but worth a shot.
Related
I am quite new to SQL, and my first "job" is to get something out of an Oracle SQL database.
Just to see what's actually found in my connection I use the following:
SELECT owner, table_name FROM dba_tables
This gives me a bunch of tuples with an owner name and table_name. However, some table names are the same for different owners.
So when I run a command like:
SELECT * FROM MyTableName
How do I ensure that this table is coming from owner1 and not owner2, where both of them actually have a table called MyTableName ?
You can do:
SELECT * FROM <owner>.MyTableName
You can specify exactly which table with
select * from some_owner.my_table;
If you do this:
select * from my_table;
You will be selecting from the version of MY_TABLE that belongs to the owner/user with which you you are connected to the database. So, if you connected as user SCOTT, then
select * from my_table;
effectively becomes
select * from scott.my_table;
Note that this behavior can be overridden by the use of synonyms. Suppose user SCOTT has a synonym like this:
create synonym scott.my_table for fred.my_table;
Then SCOTT issues
select * from my_table;
Then oracle will check first for a synonym, and finding it will effectively transform the query to
select * from fred.my_table;
So in the end, the precedence is this. When you reference a table without qualifying it with the owner, oracle will look for it in this sequence:
is there a user synonym by that name? if so, use what it references if the user has been granted necessary privileges.
is there a global synonym by that name? if so, use what it references if the user has been granted necessary privileges.
does the user itself own a table by that name? if so, use that table.
return error "ORA-00942: table or view does not exist"
I am trying to Load a certain data set for a course but it keeps failing and mentions that I do not have the necessary authorization
Error for batch element #1: The statement failed because the authorization ID does not have the required authorization or privilege to perform the operation. Authorization ID: "HLZ16072". Operation: "CREATE TABLE". Object: "DB2INST1.SCHOOL".. SQLCODE=-551, SQLSTATE=42501, DRIVER=4.26.14
Number of occurrences: 1
The error changes to the table is absent when I use error schema, I understand I need to give access using DATAACCESS authority, but I still can't figure out how to give myself the required permissions to Load the CSV file.
Screenshot
The above is the result of :
SELECT GRANTEE, GRANTEETYPE, SECURITYADMAUTH, DATAACCESSAUTH FROM SYSCAT.DBAUTH WHERE 'Y' IN (SECURITYADMAUTH, DATAACCESSAUTH)
Seems, that your user HLZ16072 doesn't have a privilege to create tables in the DB2INST1 schema, and you can't get the information about the user who may grant you such an ability (RCAC on the system catalog tables?).
So, you should either find your database admin and ask him/her on such an ability to grant you the corresponding privileges, or try to understand, which schemas you are allowed to create your tables in. You should try to use the schema HLZ16072 instead of DB2INST1, which is likely the right schema for you. Or try to run the following select statement to find such schemas.
SELECT DISTINCT (P.OBJECTSCHEMA) AS SCHEMA
--P.PRIVILEGE, P.OBJECTTYPE, P.OBJECTSCHEMA, P.OBJECTNAME, U.AUTHID, U.AUTHIDTYPE
FROM SYSIBMADM.PRIVILEGES P
CROSS JOIN TABLE(VALUES 'HLZ16072') A (AUTHID)
JOIN TABLE
(
SELECT GROUP, 'G' FROM table(AUTH_LIST_GROUPS_FOR_AUTHID(A.AUTHID))
UNION ALL
select ROLENAME, 'R' from table(AUTH_LIST_ROLES_FOR_AUTHID(A.AUTHID, 'U'))
UNION ALL
SELECT * FROM TABLE(VALUES ('PUBLIC', 'G'), (A.AUTHID, 'U')) T (AUTHID, AUTHIDTYPE)
) U (AUTHID, AUTHIDTYPE) ON U.AUTHID=P.AUTHID AND U.AUTHIDTYPE=P.AUTHIDTYPE
WHERE P.PRIVILEGE='CREATEIN';
Is it possible to grant select permission on sql table with some conditions.
For example grant select where table.id = < 50
supplemented: i am talking about ms sql
It's not possible directly.
Though to achieve this task, you can create a View initially with required conditions and then Grant select permission to that particular view.
For more details:
mysql GRANT + WHERE
Aer, you haven't said anything about DB engine (which one you are using: Oracle / MS SQL Server / MySQL etc.).
In Oracle for instance you are Granting / Revoking privileges to specific object, and there is no way to limit the output result (with out of the box GRANT statement).
In SQL Server you are able to grant row-level permissions for individual users with some additional effort: https://msdn.microsoft.com/en-us/library/bb669076(v=vs.110).aspx
Example:
CREATE SCHEMA Security
GO
CREATE FUNCTION Security.userAccessPredicate(#UserName sysname)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS accessResult
WHERE #UserName = SUSER_SNAME()
GO
CREATE SECURITY POLICY Security.userAccessPolicy
ADD FILTER PREDICATE Security.userAccessPredicate(UserName) ON dbo.MyTable,
ADD BLOCK PREDICATE Security.userAccessPredicate(UserName) ON dbo.MyTable
GO
enter code here
CREATE VIEW vw_MyTable
AS
RETURN SELECT * FROM MyTable
WHERE UserName = SUSER_SNAME()
GO
In general from the concept perspective if you want to limit users to only certain amount of rows you should do the following:
The basic way would be :
Prevent users (or group) from accessing the base table.
Define a view on top of that table that shows only the rows these users are supposed to see.
Give users SELECT permission on the view.
I am connected to a oracle database with a read only user and i used service name while Setting up connection in sql developer hence i dont know SID ( schema ).
How can i find out schema name which i am connected to ?
I am looking for this because i want to generate ER diagram and in that process at one step it asks to select schema. When i tried to select my user name , i dint get any tables as i guess all tables are mapped with schema user.
Edit: I got my answer partially by the below sql Frank provided in comment , it gave me owner name which is schema in my case. But I am not sure if it is generic solution applicable for all cases.
select owner, table_name from all_tables.
Edit: I think above sql is correct solution in all cases because schema is owner of all db objects. So either i get schema or owner both are same. Earlier my understanding about schema was not correct and i gone through another question and found schema is also a user.
Frank/a_horse_with_no_name Put this in answer so that i can accept it.
Call SYS_CONTEXT to get the current schema. From Ask Tom "How to get current schema:
select sys_context( 'userenv', 'current_schema' ) from dual;
To create a read-only user, you have to setup a different user than the one owning the tables you want to access.
If you just create the user and grant SELECT permission to the read-only user, you'll need to prepend the schema name to each table name. To avoid this, you have basically two options:
Set the current schema in your session:
ALTER SESSION SET CURRENT_SCHEMA=XYZ
Create synonyms for all tables:
CREATE SYNONYM READER_USER.TABLE1 FOR XYZ.TABLE1
So if you haven't been told the name of the owner schema, you basically have three options. The last one should always work:
Query the current schema setting:
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL
List your synonyms:
SELECT * FROM ALL_SYNONYMS WHERE OWNER = USER
Investigate all tables (with the exception of the some well-known standard schemas):
SELECT * FROM ALL_TABLES WHERE OWNER NOT IN ('SYS', 'SYSTEM', 'CTXSYS', 'MDSYS');
How about the following 3 statements?
-- change to your schema
ALTER SESSION SET CURRENT_SCHEMA=yourSchemaName;
-- check current schema
SELECT SYS_CONTEXT('USERENV','CURRENT_SCHEMA') FROM DUAL;
-- generate drop table statements
SELECT 'drop table ', table_name, 'cascade constraints;' FROM ALL_TABLES WHERE OWNER = 'yourSchemaName';
COPY the RESULT and PASTE and RUN.
I want to restrict a user to only one schema and to only Select privilege in that schema in SQL Server 2008.
A combination of DENYs and a GRANT. For example:
DENY SELECT ON schema::[dbo] TO [user_name]
DENY SELECT ON schema::[other_schema] TO [user_name]
GRANT SELECT ON schema::[safe_schema] TO [user_name]