In SQL Server 2005, a user-defined database role can "own" a schema. You can see this in the properties window of the database role. What exactly does this mean in terms of permissions/privileges against the tables in that schema? What does owning a schema mean?
Or, to ask another way: If I want a particular user-defined database role to have select/insert/update/delete privileges against every table in a schema, what is the best/smartest way to accomplish this?
I could go into the permissions of every individual table in the schema and grant the privs to the role, but this seems dumb. How do I do it for the whole schema?
thanks
aj
"Own" means "has full access" or "can do anything."
If that is what you want, just make the group the schema owner.
Otherwise, grant schema-wide permissions to this group. You can grant select permission for the schema, and members of the group will be able to select from all tables in the schema, and so on.
See GRANT Schema Permissions for more info.
MSDN Documentation: db_owner
Making them members of the db_owner group for that a particular database will essentially do what you require - of course they have a few extra permissions - such as drop a database.
You could create a new user group/schema, of course as you pointed out you need to set appropriate permissions: SQL Server 2005 Permissions
Related
In my Snowflake database, I have a reporting ROLE requesting access to a subset of SCHEMAS owned by a subset of schema OWNERS. This is a valid request as I can see it reduces the schema clutter in their query interface.
Is it possible in Snowflake to grant privileges on ALL schemas owned by a certain role (Ex: abc_role) to another role (Ex: xyz_role)?
I see in Snowflake we can grant privileges on ALL schemas in the entire database but not restrict by the schema owner.
You’ll need to construct the commands yourself, there is no WHERE option in a grant statement.
Just run
show schemas;
and then construct your grant statements with
select — construct statement
from table(result_scan(last_query_id()))
where “owner” = value;
I'm using the Oracle Database EX 11.2.0.2.0 and I hava a quite simple database created there.
Now the issue is i would like to have multiple users with different privileges set up. I have found that topic: How to create a user in Oracle 11g and grant permissions
but I cannot find anywhere the basic thing about users accounts:
what are the difference between creating system-leveled and particular database-leveled user?
I've logged in sqlplus as SYSTEM and executed the following commands:
CREATE USER TEST IDENTIFIED BY password;
GRANT CONNECT TO TEST;
and now the problem is that my databse is actually called let's say BASE with one table called PAYMENTS and to give any privileges to a newly created user I cannot execute:
GRANT SELECT ON PAYMENTS TO TEST;
but I have to type in:
GRANT SELECT ON BASE.PAYMENTS TO TEST;
so I suppose I missed something. Is it any way of connecting the created user to a particular database? So that the newly created user will be visible as a database user in Oracle APEX?
When referencing objects in other schemas, you must provide the schema name. An other user might have a table with the same name. Currently you are logged in with the system user, which is not advisable. When creating objects in the BASE schema (another name for user in de Oracle DB), why not give the user some extra rights (like granting privileges)?
The core of your problem is that you want to grant privileges to user A on object owned by B, logged in as user C. You have to be very specific in that case to Oracle what privileges are granted to whom ;)
Users and schemas are synonymous in Oracle - basically. A schema is the collection of objects owned by a user.
To get what you want, you would need to create users lacking the privs to create anything and only have the ability to select from the objects of others.
What minimum privileges my user needs to get metadata (name of tables, columns, procedures, etc.) from database?
I need to select from:
[database].sys.objects
[database].sys.schemas
[database].sys.extended_properties
[database].sys.sql_modules
[database].information_schema.columns
db_datareader is ok, but I need minimum privileges.
In order to let user only query metadata of objects, just give him the VIEW ANY DEFINITION permission, as described here:
http://msdn.microsoft.com/en-us/library/ms175808(v=sql.105).aspx
Is it possible to restrict user access to a postgresql database by specifying a database, rather than a table?
I understand that the line:
GRANT ALL ON tableName TO joeuser
enables this user to access this table and do anything they want. However I want to allow a user access to the database databaseName that contains tableName (and all tables within databaseName), but not all databases on my postgresql server.
Not really, no. Granting privileges to a database:
GRANT ALL ON DATABASE databaseName TO joeuser;
does not automatically grant privileges on objects in the database; and granting privileges on every object that's currently in the database won't automatically grant privileges on any future objects that might be created.
It's not clear exactly what you want. It might be that you're trying to find a single SQL statement that handles all your privileges now and forever more. SQL privileges generally don't work that way.
Depending on the version, you can control connection to the database in two ways.
By editing pg_hba.conf. (Probably not suitable in your case.)
By a GRANT (or REVOKE) CONNECT ON DATABASE... statement. (Since version 8.2.)
You can change the default privileges for tables, views, sequences, and functions. (Version 9.0+)
ALTER DEFAULT PRIVILEGES is a PostgreSQL extension to SQL.
I'm trying to better understand why one of our database update scripts failed to work properly at a particular customer site, and narrowed it down (I think) to database ownership and roles.
Disclaimer: I'm actually waiting to hear back from the customer's DBA so they can tell us if they upgraded their SQL database recently and so we can look at their database. I'm thinking a SQL 2000 to SQL 2005 conversion might have hosed our scripts if our applications's database login was converted to a schema, because we were referencing dbo in a few places in the update script.
Anyway, I've been trying to find a better explanation of database ownership and roles and how it impacts what owner a database object is actually assigned when you don't explicitly specify the owner in a T-SQL statement. For example, our update scripts typically just do CREATE TABLE foo instead of CREATE TABLE dbo.foo or something else, but I found a few that were explicitly using dbo, and those are the ones causing problems at the moment (only for this one customer).
I found this article (specific to SQL Server 2000), but the table on that page is confusing. It mentions db_owner and "owns the database" as two distinct possibilities for what role a user can have.
For example, the table states that if a user sam, who is in the db_owner role, runs the query CREATE TABLE [test3](abc int), it will be owned by sam.
It then mentions that if a another user sue, who "owns the database" (sic), runs the same query, it will be owned by dbo.
Wouldn't db_owner and "owns the database" be the same thing? The table implies that there is a difference between "being in the db_owner role" and actually "being the owner of the database." But, if that's, true, what does it mean to "own the database" if it's something other than being a member of the db_owner role?
No, db_owner and the owner of the database are not the same. dbo is a user and db_owner is a database role. Databases are owned by logins. Whatever login owns the database is aliased as dbo inside the database. You can change the database owner by using the sp_changedbowner system stored procedure.
All objects in a database are owned by a user. Users that are members of the db_owner role, among other permissions, are allowed to create objects owned by dbo. If a user is not a member of db_owner, but has some create permissions (e.g. Create Table), then any objects they create will be owned by the user that created them. You can change the ownership of an object using sp_changeobjectowner system stored procedure.