Grant SELECT permission on a view, but not on underlying objects - sql

I often read that one purpose of a VIEW is security: to allow some users access to the underlying table, and other users to a derived view only. With that in mind I designed several views that supply restricted datasets to external users.
All very fine, but in practice this doesn't work. After I grant SELECT permission on a view, the users can't access it unless I grant SELECT on all underlying objects too. Same story for stored procedures. The net result is non-functional, for I end up still granting access to sensitive data to the wrong users, as well as annoying, for it is easy to forget one object and the users come back to complain that the view "doesn't work".
Is there a way to grant SELECT permissions on a view or stored procedure without having to expose the underlying objects too?

Does the same user who owns the view also own the underlying tables? If not, the owner of the tables needs to grant the view owner permission WITH GRANT OPTION. If the same user owns both the tables and the view, then granting permission on the view should be sufficient.

You might find the information in this forum helpful.
The last post has the details of what was run to grant permissions to a view but not the underlying tables:
CREATE USER [Reports] FOR LOGIN [Reports] WITH DEFAULT_SCHEMA = Reports
CREATE SCHEMA Reports AUTHORIZATION Reports --Auth as Reports was the key piece of information that I had missed.
GO
CREATE ROLE Reporting AUTHORIZATION db_securityadmin
GO
exec sp_addrolemember #rolename = 'Reporting', #membername = 'Reports'
GO
GRANT CREATE VIEW TO Reporting
GRANT CREATE TABLE TO Reporting
GRANT SELECT, VIEW DEFINITION ON [dbo].[zName] TO Reporting;
FYI - For stored procedures, you should be granting EXEC to the procedure.

If you have your views in a different schema than the table, you must either grant the user access to the base table, "AUTHORIZE" the owner of the tables to the view like this:
ALTER AUTHORIZATION ON reporting.MyViewName TO dbo
In the example above dbo is the user owning the tables the reporting.MyViewName is accessing

Related

'dbo' user should not be used for normal service operation

When I scan my database, it shows one of the result like VA1143 'dbo' user should not be used for normal service operation in A Vulnerability Assessment scan
They have suggested to "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions."
I have browse regarding the same to all form but cannot get the correct suggestion yet. Could you please suggested your idea or where i have to create the user and grand the permission. Since we have only one schema structure in our DB.
About "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions.", the first thing you should know is the Database-Level Roles.
Create users with low privileges means that the use does not have the alter database permission.
When we create the user for the database, we need to grant the roles to it to control it's permission to the database.
For example, bellow the the code which create a read-only user for SQL database:
--Create login in master DB
USE master
CREATE LOGIN reader WITH PASSWORD = '<enterStrongPasswordHere>';
--create user in user DB
USE Mydatabase
CREATE USER reader FOR LOGIN reader;
GO
--set the user reader as readonly user
EXEC sp_addrolemember 'db_datareader', 'reader';
For more details, please reference:
Authorizing database access to authenticated users to SQL Database
and Azure Synapse Analytics using logins and user accounts
Hope this helps.
When designing and building databases, one the principal mechanisms for security must be the "least privilege principal". This means that you only give permissions that are absolutely necessary. No application should need to be the database owner in order to operate. This role should be highly restricted to only administration types. Instead, you create a more limited role for the application. It can include access to every single table, all the procedures, but it won't be able to do things like, for example, drop the database.
This is step one to a defense in depth of your system in order to properly and appropriately secure it. It helps with all levels of security issues from simple access to SQL Injection. That's why it's included as part of the vulnerability assessment. It's a real vulnerability.
Yes resolved the issue after creating the least privilege role and assigned to the user. But its leading to different below vulnerable issue's for the newly added user with least privilege role. Any lead will be helpful on this
1.VA2130 Track all users with access to the database
2. VA2109 - Minimal set of principals should be members of fixed low impact database roles

Unable to grant myself access to tables that I created in Oracle

I have an Oracle DB and I am using the system username. Using C# I created a few tables using the system username/password. When I log into sql developer and view the privileges on that table, it does not show the system user (which has a dba role and a MGMT_USER role) as having select/insert/update/delete permissions (or any permissions for that matter).
"You may not GRANT/REVOKE privileges to/from yourself"
Why does my admin user not have access to these tables and how do I get it?
What #TenG said - you can't grant privs on objects you own to yourself - you have those privs inherently as the OWNER.
More importantly, DO NOT use the SYSTEM account to create objects, especially don't create them IN the SYSTEM schema.
Use SYSTEM to create your application user, log in as THAT user, and THEN create your objects.
In Oracle, being the owner of the means you have implicit grants on the tables.
No need to grant privs to yourself on your own objects.

SQL Server - Query to view permissions on every table in database

We are using DB project to track Db changes and a standard XML file to publish the changes locally, to test server, Production etc. At the moment we are just copy pasting code like below to Grant permissions to new tables we create.
GRANT SELECT
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT UPDATE
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT INSERT
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
GRANT DELETE
ON [dbo].[OrganisationSite] TO [Company_FullAccess]
AS [dbo];
GO
This is prone to error as we could forget to grant a specific permission.
Is there any way to create a SQL query, to view the permissions granted for each table in the database? So we can check to see what permissions have been granted.
Also, any advice on making this more robust would be appreciated.
The best idea in this case is to use ROLE, and add members as needed.
From the documentation:
Roles are database-level securables. After you create a role, configure the database-level permissions of the role by using GRANT, DENY, and REVOKE
That will make it easy after you create ROLES as needed, you can just add members on it, no need to check every member permissions.

Grant User only access to use SQL Admin (read only) without accessing SQL DB content?

Our SQL administrator is currently ill and in the hospital however we have an upcoming security audit from the SQL cluster. Therefore we would like to grant the security auditor now read only access so that he can see all settings (primary which DB has which settings and which users are created). But the auditor shouldn´t have any rights to access DB content. Could that be performed? If yes how?
As Per my understanding you are looking for this solution where you want only definition access to user not the data reader operation access.
If this is the case then You can do it using GRANT Schema Permissions (Transact-SQL)
The VIEW DEFINITION permission lets a user see the metadata of the securable on which the permission is granted. However, VIEW DEFINITION permission does not confer access to the securable itself. For example, a user that is granted only VIEW DEFINITION permission on a table can see metadata related to the table in the sys.objects catalog view. However, without additional permissions such as SELECT or CONTROL, the user cannot read data from the table.
For more details go through the link
For grant access to different functionality of SQL Server you can go through the following link
GRANT PERMISSION

SQL 2005 database roles and security

I've moved to creating/using schemas in Sql Server 2005, where I've also created database roles and assigned schemas to the roles.
The problem I have is one of the db roles I have should have full access - say SuperSysRole.
However, when I assign a login to that role, it cannot execute specific commands. In particular, I want a user within this role to manage password resets. However, when I execute the stored procedure, it does not return back all users in the database.
The stored procedure has been run which returns back the details and calls a view which integrates the sysusers and sysmembers tables.
The user, say myAdmin, has been assigned to the role SuperSysRole. The role SuperSysRole has been granted execute to the stored procedure selectRoles.
It's probably a simple thing but can someone please tell me what I am missing?
My application authenticates using the myAdmin user name and password. It works fine when I login with the sa account.
Database role membership is queryable through the sys.database_principals and sys.database_role_members catalog views, which are the proper catalog views to use instead of the deprecated sysusers and sysmembers. Both have the same security restrictions:
In SQL Server 2005 and later versions,
the visibility of the metadata in
catalog views is limited to securables
that a user either owns or on which
the user has been granted some
permission.
The necessary permissions are listed in GRANT Database Principal Permissions: VIEW DEFINITION. There is no permission that can be granted to view any principal and role definition.
Your best option is to create a procedure that selects from the proper metadata catalog views and sign this procedure with a credential that is added into the db_securityadmin role. See Signing an Activated Procedure for an example how to sign a procedure. The grant EXECUTE on this procedure to whoever required to view these principals and role memberships.
However, all of this will get you nowhere with regard with the declared intent: manage password resets. Only server principals (aka. logins) have passwords, and any scheme designed at the database principals level can have no effect on server principals, since they are the wrong abstraction. And since there are no server roles to define (you can only have Windows groups as roles, but you want to use SQL Auth), you cannot have this done by role membership.
My recommendation is, again, to use code signing. Create procedures that do the activities you want (query sys.server_principals and sys.sql_logins to inspect password expiration, issue ALTER LOGIN statements to reset passwords etc) then use code signing to sign these procedures and grant the required privileges to the signature. I refer you again to Signing an activated procedure for an example how to do that. Then grant EXECUTE on these procedures to the 'special' users that have to manage these.