I created a view in schema A using snapshots in schema B. I was trying to assign roles to the view. But it doesnt allow me to. It says there is some error related to access to the tables from the snapshots.
Any ideas?
Schema B needs to grant schema A select on the snapshots "WITH GRANT OPTION" ("WITH ADMIN OPTION" is only for system privileges, not object privileges):
grant select on TABLE_NAME to A with grant option;
Schema B needs to grant schema A select on the snapshots "with grant option" for schema A to be able to pass on the grants to other schemas/roles.
GRANT SELECT ON my_table TO a WITH GRANT OPTION;
Related
I have an application schema U32_C5 and another schema MIG_SRC which has some tables and then we have a ROLE RO_ROLE on which we have some grants of tables from Schema U32_C5.
The RO_ROLE is assigned to another Schema MRGO_RO which is Read Only.
Here I need to grant select on tables from MIG_SRC to MRGO_RO catch here is that the process which and from where I can include these grants is run from application schema U32_C5 in production so when I tried to to something like below it says table or view does not exists (which seems to be obvious)
execute Grant from U32_C5
grant select on MIG_SRC.MOBILE_CELLPHONE_PAIRINGS to MRGO_RO;
Another way which I think of is creating DB link on MRGO_RO for MIG_SRC Schema but it enables read/write operation as well on MIG_SRC tables which is not allowed on production.
DB Links is present on U32_C5 Schema for MIG_SRC Schema
So looking for a way to accomplish above task without creating DB Link any suggestion is welcome.
Sample Script of requirement what I want to achieve Please Remember I cannot and do not want Login to MIG_SRC and only way I am looking for is to do it by using U32_C5 and without DBA HELP
A RO ROLE Created by DBA's
Create role RO_ROLE;
/* Create application schema, table inside it and grant select on it to RO_ROLE*/
CREATE USER U32_C5 IDENTIFIED BY U32_C5 DEFAULT TABLESPACE;
GRANT ALTER SESSION TO U32_C5;
GRANT CREATE SESSION TO U32_C5;
GRANT CREATE database link TO U32_C5;
GRANT CREATE table TO U32_C5;
create table U32_C5_test_tab (id number);
grant select on U32_c5.U32_C5_Test_tab to RO_ROLE;
/* Create Read Only schema, grant RO_ROLE to it */
CREATE USER mrgo_ro IDENTIFIED BY mrgo_ro DEFAULT TABLESPACE;
GRANT ALTER SESSION TO mrgo_ro;
GRANT CREATE SESSION TO mrgo_ro;
grant ro_role to mrgo_ro;
/* Create SRC schema, table inside it */
CREATE USER MIG_SRC IDENTIFIED BY MIG_SRC DEFAULT TABLESPACE;
GRANT ALTER SESSION TO MIG_SRC;
GRANT CREATE SESSION TO MIG_SRC;
GRANT CREATE database link TO MIG_SRC;
GRANT CREATE table TO MIG_SRC;
create table mig_src_test_tab (id number);
/* login to Apllication Schema U32_C5 */
sqlplus U32_C5/U32_C5#SID
grant select on mig_src.mig_src_test_tab to mrgo_ro; -- for me it gives error here at this step table or does not exist
/* login to Read Only Schema mrgo_ro */
sqlplus mrgo_ro/mrgo_ro#SID
select * from mig_src.mig_src_test_tab;
or
select * from mig_src_test_tab;
If I understood you correctly, then WITH GRANT OPTION is what you're missing.
Once someone (A) grants privileges on their own objects to someone else (B), and that (B) has to "forward" those privileges to (C), then it is the WITH GRANT OPTION that helps.
Documentation says:
Specify WITH GRANT OPTION to enable the grantee to grant the object privileges to other users and roles.
Restriction on Granting WITH GRANT OPTION You can specify WITH GRANT OPTION only when granting to a user or to PUBLIC, not when granting to a role.
It means that you should grant privileges directly, not via role. That fact doesn't have to be a drawback because of named PL/SQL procedures, where privileges acquired via roles won't work anyway, so you might end up in direct grants anyway.
Other option - which you might consider - is related to what you said:
when I tried to to something like below it says table or view does not exists
If you created a synonym for those tables, then you wouldn't get such an error.
Database link isn't an option, as you said - by using it, you have full access (as you have to know username/password to create the DB link, and that isn't really read only access).
I get this error my when i'm selecting from an mview i created.
select * from mview_age_stats
This mview definition is using an external schema in its definition with the external schema "ext". I tried everything i could find online and gave permission at schema, table and every other level
ALTER DEFAULT PRIVILEGES IN SCHEMA ext GRANT SELECT ON TABLES TO my_user;
GRANT USAGE ON SCHEMA ext to my_user;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA ext TO my_user;
GRANT SELECT ON ALL TABLES IN SCHEMA ext TO my_user;
my_user is also in couple different groups, i gave the same permissions to each group and also more like this;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_only_group;
GRANT SELECT ON TABLE mview_age_stats TO GROUP read_write_only;
None of these worked, however what I noticed is that is i have a statement in my mview definition for transferring the ownership to a superuser - which my company uses in order keep ownership of all tables. If i remove the ownership it magically works but i don't understand how moving the ownership would make a difference since i'm granting permission to my_user anyway
alter table mview_age_stats
owner to main_user;
How can I grant select on all future views in a schema or database.
This works fine but I want the role to have access to all future views too:
grant select on view <schema>.<view> to role <role>;
Any ideas?
Grant on future objects like this (using ACCOUNTADMIN role):
Make sure USAGE is granted on database and schema:
GRANT USAGE ON DATABASE <database> TO ROLE <role>;
GRANT USAGE ON SCHEMA <database>.<schema> TO ROLE <role>;
Grant select on future objects:
grant select on future tables [views] in schema <database>.<schema> to role <role>;
grant select on future views in schema <database>.<schema> to role <role>;
As I understand in Oracle, one schema is only for one user and if you (granter) grant privileges to another user (grantee) to access that schema, that schema is copied to the grantee's schema while MySQL just provides access to access the database without copying.
E.g. If user1 is schema1 and if you grant privileges to user2 to access schema1. Will those tables in schema1 be copied to the schema (could be schema2) of user2. How does that work behind the scene?
And,
If I grant only select privileges to user2 to access user1.table1, Will table1 be copied to the schema of user2? Or does user2 only get access to table1 while table1 will still be in schema1?
GRANT SELECT ON user1.table1 TO user2;
Please help me understand how does oracle grant privileges works. Thank you.
that schema is copied to the grantee's schema
That's completely wrong.
The grantee only gets the privilege to access the tables in the other schema. To access the table the grantee needs to prefix the table reference with the grantor's schema:
e.g. user2 needs to run:
select *
from user1.table1;
Nothing is being copied, the query directly access the table in the other schema.
I am trying to setup a new role for making the access rights granting easier. I was wondering if there is an easier way to give select on all tables (newly created tables should be accessible automatically) under a schema to selected users. I ran following queries for the same. But still my user is not able to access the specific table.
CREATE ROLE myrole;
GRANT SELECT ON myschema.mytable TO myrole;
GRANT usage ON schema myschema TO myrole;
CREATE USER mytest1 identified BY '***';
GRANT myrole TO mytest1;
After this, when I login with mytest1 user and trying to run select on myschema.mytable it is asking me to grant usage on schema to user. After I grant usage on schema to user directly it is failing with permission denied for that table.
Please help with the same. I am running on vertica 5.0
Update:
I find that u also have to make that role default or explicitely set that role as default for user session for making the role's effect take place.
ALTER USER mytest1 DEFAULT ROLE myrole;
But still, my another question of how to make all tables under a schema accessible to specific users remains.
As per the Vertica SQL Reference Manual.pdf (page 725) (doc version 5.0 - for page numbers)
GRANT (Schema)
...
USAGE
Allows the user access to the objects contained within the
schema. This allows the user to look up objects within the
schema. Note that the user must also be granted access to the
individual objects. See the GRANT TABLE (page 727) ... .
The the user must also be granted access to the individual objects means that you need to also GRANT table.
The two I use is GRANT SELECT and GRANT REFERENCES which allows the user to run queries and join (reference) tables in the query.
Example:
GRANT SELECT ON TABLE [schema].[Table1] TO myUser;
GRANT SELECT ON TABLE [schema].[Table2] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table1] TO myUser;
GRANT REFERENCES ON TABLE [schema].[Table2] TO myUser;
...
6.0 doc reference GRANT SCHEMA (page 808) and GRANT TABLE (page 813).