I created a table in the database DB1. There are other users with the same permission (role ROLE1). The only permission I have is via a role, say named ROLE1: U, D, CT, I, DV, R, DT, CG, R, CV on DB1. I am now the creator of this table, and I can do all DDL/DML with it. I want to remove DELETE/INSERT access from the other members of ROLE1 (or from individual users), is this possible? DENY statement is not available, and REVOKE only revokes my GRANTs. I don't have any control on ROLE1. Thanks
Related
Both tablespaces are in the same DB so in Oracle SQL Developer, if I login to one tablespace tb1 i can see all the tables in tb2. Because of permissions I was unable to create the table tb2.new_table while logged into tb1. So I logged into tb2 and made tb2.new_table and can query it there. When I log back into tb1 I cannot see the newly created tb2.new_table. I'm just wondering why it's not showing up, I did commit after I made the new table.
My confusion comes as when I was logged into tb1 I was able to add a column to a table in tb2. Any ideas?
You can't log in to a tablespace. And you don't refer to a table by its tablespace (a table can exist in multiple tablespaces or in no tablespace). If you are referring to a table tb2.new_table, that implies that tb2 is the name of a schema, not a tablespace. Tablespaces have nothing to do with permissions, they are simply a collection of physical data files. Schemas do impact permissions.
It appears that you created a new table in schema2 but haven't given user1 permission to do anything with that table. Assuming that is the case, as user2 run the commant
grant select on new_table to user1
and then user1 should be able to
select * from user2.new_table
If you want user1 to be able to insert, update, and/or delete data in new_table, you'd need to grant those permissions as well, i.e.
grant insert, update, delete on new_table to user1
I'm running an event where multiple people need to access BigQuery, and I want them to send me a proof that they have access:
I want to collect email addresses of participants that can access BigQuery.
I want proof that they have used BigQuery.
How can a user prove that their specific email account has access to BigQuery?
I'm wondering if we could build a solution with authorized views and encryption functions.
We are going to use authorized views and the new AEAD encryption functions.
First, let's create a key that only I can see in one of my private datasets:
CREATE TABLE `secrets.keys`
AS
SELECT KEYS.NEW_KEYSET('AEAD_AES_GCM_256') key, CURRENT_TIMESTAMP() ts, 'for_a_view' label
Now I can create a view in a public dataset that leverages SESSION_USER() and AEAD.ENCRYPT():
SELECT SESSION_USER() user, ts, key_ts, key_label
, AEAD.ENCRYPT(key, FORMAT('%s|%t', SESSION_USER(), ts), '') enc_user_ts
, AEAD.ENCRYPT(key, SESSION_USER(), '') enc_user
, AEAD.ENCRYPT(key, CAST(ts AS STRING), '') enc_ts
FROM (SELECT CURRENT_TIMESTAMP() ts)
, (SELECT ts key_ts, key, label key_label FROM `fh-bigquery.secrets.keys` WHERE label='for_a_view')
To keep my view public and the keys secret, I can set in my secrets dataset access to this new authorized view to read the key:
Now anyone can run the following query:
SELECT enc_user_ts
FROM `fh-bigquery.public_dump.encrypting_user_view`
Which returns:
AQElE+8cn+uHouGhZO7895UNjVs3/k05ZJLkEceQ8kszHJjQkbvuB6Vx/miDi3DhFTty7ZifXps1VKWC5OtTrQOkCQqoFFQu+VkDfz9F65R5f3PGPA==
I can ask users to share that value with me, and I can share that value with you - but only I can decrypt it using my secret key.
Decrypting with my secret key:
SELECT AEAD.DECRYPT_STRING(key, FROM_BASE64('AQElE+8cn+uHouGhZO7895UNjVs3/k05ZJLkEceQ8kszHJjQkbvuB6Vx/miDi3DhFTty7ZifXps1VKWC5OtTrQOkCQqoFFQu+VkDfz9F65R5f3PGPA=='), '')
FROM (SELECT key FROM `fh-bigquery.secrets.keys` WHERE label='for_a_view' LIMIT 1)
Which returns:
⬛⬛⬛⬛⬛⬛⬛⬛e#gmail.com|2019-05-14 03:51:15.047791+00
Note that's the exact account and timestamp they used to run their query!
And this is how - if I ever need proof that the account you are telling me you are using to use BigQuery is indeed that account, I'll ask you to run the following query and share its result with me:
SELECT enc_user_ts
FROM `fh-bigquery.public_dump.encrypting_user_view`
I am trying to grant admin, i.e. "monetdb" privileges to users, without any success so far (the privileges should extend to all the tables of the sys schema).
As I have a schema with many tables would be very complex to give explicit rights (e.g. SELECT ) to all the users mentioning all the tables: I need to find an efficient way to do this.
I log into MonetDB with SQLWorkbenchJ using the superuser monetdb.
I have also tried to directly send queries using R and the MonetDB.R package (with no difference).
I create a user associated to a schema (e.g. the sys schema) as
CREATE USER "user1" WITH PASSWORD 'user1' NAME 'user one' SCHEMA "sys";
Then I try to GRANT "monetdb" privileges to user1
GRANT monetdb TO "user1";
And I do not get any error.
If I log into MonetDb as user1 and try a simple select (on a pre-existing table of the sys schema) I get:
SELECT * FROM sys.departmentfunctionindex
SELECT: access denied for user1 to table 'sys.departmentfunctionindex'
Clearly I'm missing something.
Any suggestion is welcome.
I think I get it now.
The following works, using SQLWorkbenchJ I log into MonetDB as monetdb (superuser).
I run:
CREATE USER "user20" WITH PASSWORD 'user20' NAME 'user 20' SCHEMA "sys";
CREATE SCHEMA "mschema" AUTHORIZATION "monetdb";
CREATE table "mschema"."mtestTable"(v1 int, v2 int);
INSERT INTO "mschema"."mtestTable" VALUES (4, 4);
GRANT monetdb to "user20"; -- this gives implicit superuser powers to user20 (but not for the "sys" schema)
Now I log out and login again as user "user20".
I run:
SET SCHEMA mschema; -- I was missing this before but it is essential
SET ROLE monetdb;
At this stage user20 has got all the authorisations of the superuser monetdb, e.g.:
SELECT * FROM "mschema"."mtestTable"; -- can use select
DROP TABLE "mschema"."mtestTable"; -- can use drop etc.
Thanks to #Hannes, #Ying & #Dimitar
Here is an working example for granting SELECT privileges to a separate user with MonetDB:
as admin (e.g. monetdbaccount)
CREATE SCHEMA "somedataschema";
CREATE TABLE "somedataschema"."somepersistenttable" (i INTEGER);
INSERT INTO "somedataschema"."somepersistenttable" VALUES (42);
CREATE USER "someuser" WITH PASSWORD 'someuserpass' NAME 'someusername' SCHEMA "sys";
GRANT SELECT ON "somedataschema"."somepersistenttable" TO "someuser";
CREATE SCHEMA "someuserschema" AUTHORIZATION "someuser";
ALTER USER "someuser" SET SCHEMA "someuserschema";
Now, someuser can SELECT from somepersistenttable, but not modify it. Should this user need a table on its own, someuserschema or temporary tables (deleted when user logs out) could be used. Hence, this works:
SELECT * FROM "somedataschema"."somepersistenttable";
CREATE TABLE "someuserschema"."sometemptable" (i integer);
INSERT INTO "someuserschema"."sometemptable" VALUES (84);
SELECT * FROM "sometemptable";
CREATE TEMPORARY TABLE "sometemptable" (i INTEGER) ON COMMIT PRESERVE ROWS;
INSERT INTO "sometemptable" VALUES (42);
SELECT * FROM "sometemptable";
And this will produce an insufficient privileges error (same for update, drop, alter etc.):
INSERT INTO "somedataschema"."somepersistenttable" VALUES (43);
Please have a look at this MonetDB bug report. Grant privilege works for user created schemas, but the bug-fix seems not cover the default "sys" schema.
No, you don't have to explicitly grant access to each individual tables. You can still use GRANT monetdb to "user1". See my previous answer, for now, you just need to create your tables under a user created schema. I just tried it in the "default" branch of MonetDB.
In oracle 11G, I want to drop a user PERMANENTLY, ie no trace of that user should remain and I should not get "existing object" errors like this - ORA-00955: name is already used by an existing object, when I try to recreate that User with its tables.
Please help me to do this.
Thanks.
EDIT -
Commands to create user with table and columns
CREATE USER Products identified by discounted
GRANT ALL PRIVILEGES TO Products
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
The above is followed by,
Commands to drop user completely and re-create it completely
DROP USER PRODUCTS CASCADE
CREATE USER Products identified by discounted
GRANT ALL PRIVILEGES TO Products
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
Causes the exception-
java.sql.SQLSyntaxErrorException: ORA-00955: name is already used by an existing object
You didn't say what user you were logging in as, but I'll assume it's SYS or someone with pretty much godlike privileges.
In your last line, you are creating table CARS in the current schema, not in the products schema. What you probably want is:
CREATE TABLE products.cars(brand varchar2(25), model varchar2(25));
The cars table probably still exists in the current schema from your previous attempt. You can tell if it exists anywhere with this:
SELECT owner, object_name, object_type FROM all_objects WHERE object_name = 'CARS';
As a side note, it's not really a good idea to grant all privileges to a normal user, but I assume this is for testing procedures. Also, it's preferred to use VARCHAR2 instead of VARCHAR.
Your question is way too generic. Based on what I understood, if you use following script, you can drop all objects created by the user -
drop user USERNAME cascade;
Documentation
And for this to execute successfully you should not have an open connection for this user.
I have an error occuring frequently from our community server installation whenever the googlesitemap.ashx is traversed on a specific sectionID. I suspect that a username has been amended but the posts havn't recached to reflect this.
Is there a way a can check the data integruity by performing a select statement on the database, alternatively is there a way to force the database to recache?
This error could be thrown by community server if it finds users that aren't in the instance of MemberRoleProfileProvider.
See CommunityServer.Users AddMembershipDataToUser() as an example
UPDATE:
I Solved this problem for my case by noticing that the usernames are stored in two tables - cs_Users and aspnet_Users. Turns out somehow the username was DIFFERENT in each table. Manually updating so the names were the same fixed this problem.
Also, the user would left out of membership in the following line of the stored procedure cs_Membership_GetUsersByName:
INSERT INTO #tbUsers
SELECT UserId
FROM dbo.aspnet_Users ar, #tbNames t
WHERE LOWER(t.Name) = ar.LoweredUserName AND ar.ApplicationId = #ApplicationId
The #tbNames is a table of names comes from cs_Users(?) at some point and therefore the usernames didn't match and user was not inserted in to the result later on.
See also: http://dev.communityserver.com/forums/t/490899.aspx?PageIndex=2
Not so much an answer, but you can find the affected data entries by running the following query...
Select *
FROM cs_Posts
Where UserID Not In (Select UserID
From cs_Users Where UserAccountStatus = 2)