I have one database table which contains 8 columns. One of the columns is called IsAdmin (its data type is Bit). I have to show the user list in a grid view if and only if the signed-in user is an admin.
How can I do this? Which clause is used for this?
Not entirely sure that I understand you correctly. Is the "user list" that you're looking to display also the table that you're selecting from? My understanding is that this is what you need:
if exists (
select *
from MyUserList
where IsAdmin = 1
and UserName = SUSER_NAME()
)
begin
select *
from MyUserList /* Or whatever you need to do if the user is admin */
end
else
begin
/* Do whatever you need to do if the user is not an admin */
end
To me, doesn't sound like you need a clause but should be handled by business logic in your application.
e.g. if you only want to show the list if the signed-in user is an admin, then there's no point in running the query if the user is NOT an admin - it's a roundtrip to the db that is unneccessary.
Instead, in your application just have some logic that says "if signed-in user is an admin the populate the grid view, else don't"
I would probably recommend that this be done in the application instead of in SQL. Let the application do the checks on who is an admin and place that into a session or cookie and when the page loads do a check of the session/cookie to ensure the user is an admin and if they are show the information.
If you want it in SQL you should provide some additional information such as table structure and table names.
Matt
The solution is too simple,as you need to select specific data if the user is in role of admin and else another data may be selected or nothing, so do the following code :
select * from [UserList] where IsAdmin = #UserRole and UserID = #UserID
In this case you will select data relevant to this user ID and his role.
Hope that this is helpful according to my understanding of the problem.
Related
I need the procedure for want custom packages from all users in database, I am giving step by step explanation and I need the query or some clues for how to display and select specific user.
1.List out the database users which already in database.
2.We have to select one specific user example Ranjith by input method.
3.After selecting the users should display the custom packages of selected users.
4.Next step is it should display the source code of all custom packages which you already selected users.
1.SELECT USERNAME FROM DBA_USERS (it will display all the users from database, After that I need to select specific users to display custom packages)
Thank you.
select object_name from dba_OBJECTs where owner = '{schema}' and object_type in ('FUNCTION','PACKAGE','PROCEDURE'); -- get user function,pkg, procedure.
select * from dba_source where owner = '{schema}' and name = '{object_name}' order by type,line asc; -- view source of objects.
If you want extract ddl of object, you use dbms_metadata.
select name,text from dba_source where owner = '{user}' and type in ('PACKAGE' ,'PACKAGE BODY','FUNCTION','PROCEDURE')
order by name,type,line asc; -- return all source code for specifed user
I need to run queries as a "user" which is a record in a table, with permissions based on a record value of that user.
I have a database with a tUsers Table, such as:
ID Username Email Role
1 Pieman mail.com Admin
2 Cakedude mail.co.uk Receptionist
3 Muffin gh.com Other
I need to have it so only "users"/records with "Role" of "Admin" can view and edit the table, and "Receptionist" view it etc.
I know of and use GRANT for permissions, but don't know how to run a query as a user based on a table record and to have the permission only GRANTED if that users' role is "Admin"
So if I have:
USE DB1;
GRANT SELECT ON OBJECT::tUsers TO Admins;
GO
SELECT * FROM tUsers
How do I make that run as say tUser with ID 1, and the GRANT if the users' role = "Admin"
I'm sure I've seen this done before.
I'm fairly new and still learning the correct terminology, so if this is a duplicate question, or is essentially just describing an sql Function sorry.
I don't think you can grant or revoke permissions to users in your own user table. However you can of course restrict queries based on your own user table.
One solution is to do it in your application. Verifier permissions before you do anything for him/her.
Another solution is to use stored procedures which take user id as parameter and do the checking for you in a central place.
The third one is to user parameterized views where you filter out entries one user can't access.
There are other solutions but the basic idea is you need somehow check permissions instead asking dBm server to do it for you.
all!
I have a db with tables User and Group, which represent entities in some application. But at the same time there are database users and database groups with the same names. I need to anonymize the database. It's easy to change db tables, e.g. update User set "Name" = "John",... where Id = 100500
But what to do with db users and db groups?
My first thought was to drop user and that create a new one:
drop user John;
create user njoh identified by 'pswd' login policy "root";
But belonging to groups is lost in the approach.
Is there any kind of rename method for db users in Sybase Anywhere 11?
Also I don't know how to change last log-in time and comments for a db user.
The same problem with groups. I didn't try to 'drop groups', 'cause I don't know if there is a possibility in Sybase Anywhere 11.
Could anyone tell me the truth - does the problem have a solution?
No, there is no way to rename an existing user. You can certainly drop it and create a new user but like you said, any group memberships are lost, as are permissions granted on objects like tables and procedures.
The only way to change the last login time for a user is by logging in. You can change the comment on a user by using comment on user is '<string>'.
There is no drop group statement - a group in SQL Anywhere (versions 12 and older) is simply a user with "group authority", so to drop a group you would use revoke connect from <group name>.
Disclaimer: I work for SAP in SQL Anywhere engineering.
I have a problem with controling access to data in a database. The data is a mix of price-data from my company and price-data bought from a data-provider and since they charge per user who can access their data I need to be able to limit the access to data.
I have a scheme "DATA" which holds all price-data. I am thinking having 2 additional schemes (example: LIM_ACCESS and FULL_ACCESS) with VIEWS that is build on the DATA-scheme. example:
CREATE VIEW LIM_ACCESS.V_PRICES AS<br>
SELECT [] FROM DATA.PRICES<br>
WHERE SOURCE = [MyCompany]
CREATE VIEW FULL_ACCESS.V_PRICES AS<br>
SELECT [] FROM DATA.PRICES
But to my experience then the LIM_ACCESS- and FULL_ACCESS-schemes has to have select-privelige on the DATA-tables to create the views and then I am back to square 1.
Being a novice in databases I feel there must be a relative simple solution to this so any advice or hint(if this question has been asked and answered before) is appreciated :-)
Kind Regards,
Svend
You can put all the views in your DATA schema. Then GRANT SELECT on them to other schemas as necessary, ideally via database roles as Woot4Moo suggested.
The use of a view will not prevent a subset of users from accessing the data. What you need to do is implement row level security.
Another approach is to use some form of role based permissions, that enable only the specific group of users you want to access the "paid" information. This can be done fairly trivially example follows.
create user foo
identified by password;
--no permissions
create role paid_data;
--grant privileges here for the paid_data role
grant paid_data to foo
User foo will now have the permissions that the paid_data role has. The advantage of using roles like this is that you can quickly revoke everyone's access that is in that group / add more accesses as they need to be incorporated.
As GriffeyDog suggested, this is the best way to do it. First create two views in your schema and then grant select on those views to the two users.
CREATE VIEW LIM_ACCESS_V_PRICES AS<br>
SELECT [] FROM DATA.PRICES<br>
WHERE SOURCE = [MyCompany];
GRANT SELECT ON LIM_ACCESS_V_PRICES TO LIM_ACCESS;
CREATE VIEW FULL_ACCESS_V_PRICES AS<br>
SELECT [] FROM DATA.PRICES;
GRANT SELECT ON FULL_ACCESS_V_PRICES TO FULL_ACCESS;
Another approach is to use Oracle Row Level Security otherwise known as Oracle Label Security. I've used this to greatly simplify my application design while ensuring users only see the data they're allowed to see.
Consider this T-SQL:
CREATE USER my_test_user WITHOUT LOGIN;
SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name();
EXECUTE AS USER = 'my_test_user' WITH NO REVERT;
SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name();
I'm looking at using these accounts WITHOUT LOGIN for auditing purposes. Basically, my "get a database connection" code returns a connection on which the EXECUTE AS USER...WITH NO REVERT has already been executed.
The problem is that I can't get consistent results from any of these user name functions. The two lines of output are:
dbo dbo original_user original_user original_user
my_test_user my_test_user S-1-9-3-XXXXX.. S-1-9-3-XXXXX.. S-1-9-3-XXXXX..
The USER functions produce correct output AFTER the 'EXECUTE AS', but beforehand they're showing dbo rather than the user name
The SUSER functions are just the opposite -- they're correct initially but after impersonation they're showing some sort of ID
The MSDN docs for SUSER_SNAME explicitly give an example where this is supposed to work.
UPDATE: What I'm looking for is a function that will produce 'original_user' in the first case and 'my_test_user' in the second.
Update: you need the ORIGINAL_LOGIN fn here too
Original:
Afterwards, there is no matching system level user. So, it can't resolve the database level sid, so it simply returns the sid from sys.database_principals
CREATE USER my_test_user WITHOUT LOGIN;
SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name();
EXECUTE AS USER = 'my_test_user' WITH NO REVERT;
SELECT USER_NAME(), USER, SUSER_SNAME(),SYSTEM_USER, suser_name(),
SUSER_SID();
SELECT * FROM sys.database_principals WHERE sid = SUSER_SID();
I don't know if this is by design, but it explains where the number comes from. The rest is as expected as explained below
Notes:
You'll get dbo for USER_NAME() because you are logged on with sysadmin rights. Everyone with "sysadmin" is dbo when using db level user functions.
After changing user context, db level user functions resolve to the database user context
For system level user functions, you'll get the login you used before
Users without login are a special case used exclusively for service broker security (remote service bindings) or for code signing. They represent identity, not impersonation. Do not use users without login for EXECUTE AS. You'll run into all sort of edge cases because they explicitly don't have a user to login mapping and almost everywhere a mapping is expected.
Just a guess here, but it looks like to me that the first select is being run as the user you're currently logged into as with the connection, and in the second select you are then telling sql server to execute as the newly created user.