Can you lock/disable a user on HSQL?
I'd like to setup a user account before it's needed. Then when needed I'd unlock it so it can be used.
You cannot disable an account.
However, when a user is created it has no privileges whatsoever. You can delay granting SELECT, INSERT, UPDATE etc privileges until the user account is needed.
The correct way to manage this is to create a ROLE and grant the relevant privileges to this role. When an account is needed, you grant this ROLE to the account. When you want to "suspend" an account, you simply REVOKE this role from the account.
See the Guide: http://hsqldb.org/doc/2.0/guide/accesscontrol-chapt.html
Related
I setup a new role called 'TEST_CLIENT_ROLE' and Granted USAGE and CREATE SCHEMA on a database called TEST_CLIENT_DB. I didnt grant any explicit permissions to CREATE STAGE on this database or schema. But still user belonging to the role is able to create stage.
I also explicitly revoke CREATE STAGE on the role like below
REVOKE CREATE STAGE ON ALL SCHEMAS IN DATABASE TEST_CLIENT_DB FROM ROLE TEST_CLIENT_ROLE;
REVOKE CREATE STAGE ON FUTURE SCHEMAS IN DATABASE TEST_CLIENT_DB FROM ROLE TEST_CLIENT_ROLE;
But still the user in that role is able to create stage under that database schema.
Can someone help me out in figuring how to make sure that a role cant create stage under a database/schema
Snowflake roles inherit permissions from child roles. If this role is the parent of another role with this permission, you need to revoke the permission from the child role. Also, object owners have pretty much full permissions so if the role is the owner, I don't think you can revoke the permission
I have a role but made changes to it, do I have to grant the role to all the users again or will Oracle automatically do it for me?
The issue is that I have made a change to the role but the role is connected to many users, do I have to regrant it?
No you don't have to reassign it.
Would every user who uses my database have a role? Is it more administrators who will have roles, people who need access to all the tables?
Also, I am unable to offer table-level privileges to a role and offer that to a user.. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal? Should I be able to offer table-level privileges to a role or do I have to manually offer each of my users the table level privileges?
Would every user who uses my database have a role?
That depends on how you (or, should I rather say, DBA) set it up.
Quite a long time ago, say until Oracle 8i, there were 2 very popular roles: connect and resource so when DBA created a new user, they simply ran
grant connect, resource to new_user;
and the new_user was ready to go as those roles provided most needed privileges such as create session, create table or create view (check documentation for more info about those predefined roles).
However, it turned out that not everyone should be granted e.g. create cluster (which is one of connect's privileges) so nowadays you should create your own roles, if you want - then grant certain privileges to those roles and, finally, grant roles to your users.
Another option is to keep .sql scripts for each of your users. That script should contain list of privileges granted to those users, separately, which means that you shouldn't granted anyone privilege they don't really need.
I am unable to offer table-level privileges to a role and offer that to a user. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal?
It works, but not everywhere. Those privileges (the ones granted via roles) won't work in named PL/SQL procedures (i.e. stored procedures, functions, packages). If you have to use those tables in them, yes - you have to grant privileges directly to each of those users.
As opposed to named PL/SQL procedures, privileges granted via roles will work in anonymous PL/SQL blocks or at SQL level.
If you're wondering why would you use roles at all, then, the answer is my first sentence: it depends.
I am granting permission on some objects to my user in a database, Is there any way to grant permission to user without using database role?
I can easily do it by creating database role, but I do not want to use role.
I assigned some objects to my user by Database User, in Securables tab, it didn't work!
create user [user_test] for login [login_test]
create role role_test authorization user_test
exec sp_addrolemember 'role_test', 'user_test'
grant select on object::dbUser.tbl_05 to role_test
I expected I could grant permission to my user and not to use Database Role.
You have (at least) 2 options here, you can assign the permission straight to your DB user (as mentioned in the comment) or you can grant permission on a certificate, which might give you better control in a production environment.
I have 2 database users called SQLUser1 and SQLUser2. How can I grant INSERT permission to SQLUser2 at database level using SQLUser1?
After reading about database membership roles, I think I can achieve the solution by playing with memberships of SQLUser1. Can it be solved by giving db_securityadmin and db_accessadmin to SQLUser1?How can I control permissions of one user by another user in database level?
Any help appreciated.
Thanks,
Deeps
You must grant all/specific privilege to SQLUser1 with grant option as sa (sys admin or other higher privileged user). Then SQLUser1 will become eligible to grant privilege to SQLUser2 as outlined below
GRANT ALL TO SQLUser1 WITH GRANT OPTION
You need not to assign ALL privilege to SQLUser1. Even SQLUser1 can have only INSERT permission but WITH GRANT OPTION make him eligible to grant the same permission to other user.
Then as SQLUser1 grant specific privilege to SQLUser2
GRANT INSERT TO SQLUser2
You can do the above mentioned steps using GUI (SSMS) as well.
For more information on GRANT see HERE
you need to use a user which is db_owner.
Select the user2 and click Properties, then user mappings... using SQL Server Management Studio.