I want to restrict some MS Sql Server users. For example, one user should just be able to see 2 columns of "Customers" table and none other. And this user shouldn't be able to create any manipulation queries. But one user should be able to do everything on all tables and all columns. How do i do that?
BR,
Çağın
Create a view that only selects the two columns in question. Then remove the select, update and insert grants from the original table, and only grant the user select on the new view.
I find a way like this :
Click securables tab from user name on database's security.
Click search button and choose object type. (I need just tables)
Click Browse and choose table(s) and click OK
Choose Explicit and click Column Permissions
Choose Columns and click OK
it is working for my situation.
Use the datareaders role to restrict write access, and use a view to hide columns. Remove the the select right on the table to prevent a query directly on it.
Related
I've a requirement to keep a user table for granting access to an application where there's a password field which has to be masked.
How to go about it?
Example: If you query select * from PG_USER; in Redshift, you'd see, the password column values are shown as *****. How to do exactly that for my custom table?
If there is a column in a table that you do not wish particular users to see, then:
Do not grant them permission to use the table
Use CREATE VIEW to select all columns you do wish them to be able to view
Grant them permission to use the view
Tell them to use the view instead of the table (they operate identically)
Or, create a table without the offending column and grant them permission to use that table.
Following post shows how to implment encryption UDF in Redshift with some data protection best practices.
https://techsboot.com/blogs/redshift/encrypt_decrypt_udf_using_pyaes/
I am using SQL Server 2012.
I have a table which contains two columns. One is called Directory, the other UserName.
To explain my problem I think a simple example is easier.
So this table has 3 users. In the UserName column, only the 3 users, usernames can be entered plus one other entry called Default.
Directory UserName
C:\Blah Bob
C:\BlaF Brad
C:\BlaK Dave
C:\BlaPP Default
C:\Anoth Default
What I would like to know is if it is possible to allow only two of the users to be able to insert, delete records with the username Default and the other user to be able to only select the records with Default.
Is this possible?
Update
After doing some reading is it not possible to do this using an Instead of trigger? So in my understanding this trigger will fire before an insert, update or delete query is executed. So I was thinking in the trigger if could check the host pc (users on my team will only be using their computer) to see who it is trying to insert, update or delete and if its a user who doesn't have permission to edit the default list then exit the trigger and don't update the table. Or am I missing something?
Instead of giving users direct access to the table, give the first two users access to a stored procedure that inserts to the table, and only inserts "Default" for the username.
Give the third user access to a view (or stored procedure) that only selects records where username="Default".
all!
I have a db with tables User and Group, which represent entities in some application. But at the same time there are database users and database groups with the same names. I need to anonymize the database. It's easy to change db tables, e.g. update User set "Name" = "John",... where Id = 100500
But what to do with db users and db groups?
My first thought was to drop user and that create a new one:
drop user John;
create user njoh identified by 'pswd' login policy "root";
But belonging to groups is lost in the approach.
Is there any kind of rename method for db users in Sybase Anywhere 11?
Also I don't know how to change last log-in time and comments for a db user.
The same problem with groups. I didn't try to 'drop groups', 'cause I don't know if there is a possibility in Sybase Anywhere 11.
Could anyone tell me the truth - does the problem have a solution?
No, there is no way to rename an existing user. You can certainly drop it and create a new user but like you said, any group memberships are lost, as are permissions granted on objects like tables and procedures.
The only way to change the last login time for a user is by logging in. You can change the comment on a user by using comment on user is '<string>'.
There is no drop group statement - a group in SQL Anywhere (versions 12 and older) is simply a user with "group authority", so to drop a group you would use revoke connect from <group name>.
Disclaimer: I work for SAP in SQL Anywhere engineering.
Im writing a simple utility that will allow our users to run simple select SQL statements on the DB to retrieve data they require. Just a textbox and a button and when they click the button it will spit out the query results in a list.
The problem I have is I only want them to be able to run SELECT statements. I dont want any edit statements to be executed i.e. update, insert, delete, drop etc.
Is there a simple way to parse a sql string to make sure its only a read only select statement entered?
A better way would be to use sql permissions. As a datareader, your users will only be able to SELECT. exec sp_addrolemember db_datareader, <user>
Best way to deal with this is by creating a user that only has limited permissions.
If you want to allow users to read data from all tables then you can go with what Steve D already suggested.
If you want to allow users to read data from only some tables but not all then you need to create a user that only has ‘public’ role and then GRANT SELECT for specific tables.
Make sure user only has ‘public’ selected here for a given database
Then just execute this query for all tables
grant select on <schema>.<table> to <user>
Hi Experts
How I can prevent database user deleting any data in tables using triggers?
I want just Admin delete Data from tables
Thanks
Umm take away that users permission? If you don't want them doing something, 'disallow' them that right... thats why we have permissions.
Here are details on how to revoke permissions:
http://msdn.microsoft.com/en-us/library/ms186308.aspx
Any particular reason you want to use triggers?
You could simply remove the DELETE permission from the users you want to restrict. Have a look at the "Permissions" section here: http://msdn.microsoft.com/en-us/library/ms189835.aspx
EDIT: Since you say you do want to use triggers (but I really think you should reconsider) you can create a table such as:
CREATE TABLE Restricted_Users
(
user_name VARCHAR(40) PRIMARY_KEY -- Use a size appropriate to your requirements
)
Create INSTEAD OF DELETE triggers on all your tables (that's going to be a chore) which checks for the USER_NAME() in the Restricted_Users table and if they EXIST you can call RAISERROR to cause the transaction to be rolled back and display a message to the user.
Remember you will have to maintain these triggers on all new tables added to the database as well as maintaining the list of users in the Restricted_Users table whenever you add/remove users from the database.
It would be a lot simpler to use the permission system available in SQL Server (it's what it's designed for) using roles with appropriate permissions set for the tables. Then, when adding new users you only have to assign them to the appropriate role and the delete permissions are handled for you.