I have a database called ADB.
When I create a new user/role, that user cannot, by default SEE ADB and query against the tables in it.
How can I change that default?
Depending on how you create roles, it may be that your database does not give access rights to the 'public' role (which by default is what new roles belong to). You could grant all rights on the database to public, or make the new role a sub-role of whatever role does have access rights to it.
Related
My Database dbo.MyDb currently allows database-level access to a bunch of users.
However I now have a table in dbo.MyDb called "MyDbTable", which only specific users should be able to access. I don't want to DENY access to MyDb users because then we would have to deny access to new users manually every time a new user gets added. I want to only allow specific users (for example a guy named "user1") to access MyDbTable. No other user should be able to access MyDbTable.
Question 1: Is there a way to achieve this?
Question 2: If we can do only-allow, does that mean that only "user1" can make changes to that table from an app like a C#/NET backend app (by passing in his username and password along with the connectionstring)?
Add schema-level permissions to all existing schemas to the existing users.
Drop the database-level permissions from the existing users.
Test
Make a new schema
Move your new table to the new schema.
Grant permissions on the new schema to only some users.
If you want to retain database-level permissions, you're going to need to DENY, because a database level permission is, in fact, a database level permission.
Would every user who uses my database have a role? Is it more administrators who will have roles, people who need access to all the tables?
Also, I am unable to offer table-level privileges to a role and offer that to a user.. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal? Should I be able to offer table-level privileges to a role or do I have to manually offer each of my users the table level privileges?
Would every user who uses my database have a role?
That depends on how you (or, should I rather say, DBA) set it up.
Quite a long time ago, say until Oracle 8i, there were 2 very popular roles: connect and resource so when DBA created a new user, they simply ran
grant connect, resource to new_user;
and the new_user was ready to go as those roles provided most needed privileges such as create session, create table or create view (check documentation for more info about those predefined roles).
However, it turned out that not everyone should be granted e.g. create cluster (which is one of connect's privileges) so nowadays you should create your own roles, if you want - then grant certain privileges to those roles and, finally, grant roles to your users.
Another option is to keep .sql scripts for each of your users. That script should contain list of privileges granted to those users, separately, which means that you shouldn't granted anyone privilege they don't really need.
I am unable to offer table-level privileges to a role and offer that to a user. it just won't work. I have to offer the privileges directly onto the user for them to work. Is that normal?
It works, but not everywhere. Those privileges (the ones granted via roles) won't work in named PL/SQL procedures (i.e. stored procedures, functions, packages). If you have to use those tables in them, yes - you have to grant privileges directly to each of those users.
As opposed to named PL/SQL procedures, privileges granted via roles will work in anonymous PL/SQL blocks or at SQL level.
If you're wondering why would you use roles at all, then, the answer is my first sentence: it depends.
I have an Oracle DB and I am using the system username. Using C# I created a few tables using the system username/password. When I log into sql developer and view the privileges on that table, it does not show the system user (which has a dba role and a MGMT_USER role) as having select/insert/update/delete permissions (or any permissions for that matter).
"You may not GRANT/REVOKE privileges to/from yourself"
Why does my admin user not have access to these tables and how do I get it?
What #TenG said - you can't grant privs on objects you own to yourself - you have those privs inherently as the OWNER.
More importantly, DO NOT use the SYSTEM account to create objects, especially don't create them IN the SYSTEM schema.
Use SYSTEM to create your application user, log in as THAT user, and THEN create your objects.
In Oracle, being the owner of the means you have implicit grants on the tables.
No need to grant privs to yourself on your own objects.
I have got myself into a little bit of a bind, using SQL Server Management Studio to create a database in Azure SQL. My issue appears to be with assigning roles to users in the database. When I created the database, it prompted me to create a new login, with an associated user, that appeared to have all the rights of a database owner. However, I am now trying to create two additional logins and I realize I am screwed. The login that I created when I made the database isn't the database owner, even though I could do all the DDL / DML necessary to create the full schema under that account. I created an additional login, and I added two users to that login. I now want to add that login to a role (db_datareader, db_denywrite) but I cannot.
It appears that the database owner is a user / login called "dbo" that I did not set up. This is the only user that is added as a database owner, and subsequently is the only one that can edit roles. But I do not know the login credentials for this user!
if I use what I believed to be the administrator account (the one I made) to add a role I get the error:
Cannot alter the role 'db_datareader', because it does not exist or you do not have permission.
How can I fix this? How can I get my original account added as a DB Owner? There has got to be a way, but everything I tried points to the fact that I am not the owner of the resource I created; I'm an outcast in my own country...
Thanks!
I create a schema and set schema owner on it.
what the owner can do as owner that a user with permission can't do?
why the schema need owner?
Unless designed by means of permissions being in place, by default there is little difference. I.e. on a stock SQL Server installation, the owner and a regular user would have similar permissions set up. The difference being that the owner cannot be dropped from the database, and normal users cannot revoke permissions or privileges from an owner.
From Microsoft Docs:
You cannot remove privileges from an object owner, and you cannot drop
users from a database if they own objects in it.
Things get more interesting once specific permissions have been set up, though. Imagine normal users are denied permission to read data from tables. The owner in that case would be able to see the data in table, while regular users would not.