I am running Oracle 11.g and the id I am using has DBA role (full access supposedly).
When I tried to create a table under another schema, it works fine. However, when I tried to create a table with organization index, I was prompted
ORA-01950: no privileges on tablespace
I double checked my id has unlimited tablespace. My ID and the targeted schema are both in the same tablespace.
Supplemental info: I am able to run the same creat table statement w/ organization index under my own schema.
Creating objects may require two privileges: your user needs privileges to create the objects, and the schema owner needs privileges to use resources related to that object. So while you have the ability to create a table in another schema, that schema also needs the privileges to write data to the related tablespaces:
alter user $username quota unlimited on $tablespace;
This approach is safer than granting the UNLIMITED TABLESPACE role. That role grants more than necessary, and if someone later tries to cleanup the privileges, revoking that role also undoes individual privileges, as described in this article.
I granted the targeted schedma unlimited tablespace and it's resolved.
Related
I've got hundreds of individual MS Access files that contain data on individual locations, each with an identical table structure. Rather than creating one database with all these files, they were all save in different folder locations. I'm trying to wrangle the data into one place so it can be more useful and I'm exploring the RODBC package for R to do that.
I'm using the RODBC package in 32 bit Rstudio to access MS Access databases in file locations which I can open and read from. I can establish the file connections and list out all the table objects for each database, but every time I try to query or read one of the tables I get this error:
[1] "42000 -1907 [Microsoft][ODBC Microsoft Access Driver] Record(s)
cannot be read; no read permission on 'HabitatUnits'." [2] "[RODBC]
ERROR: Could not SQLExecDirect 'SELECT * FROM HabitatUnits'"
I experimented another access data base that I created and I was able to read the data no problem, so it must be a restriction imposed on the other data sets. Is there a way to grant access so that R can read in this data without going through each data base to manually change the accessibility?
Somebody or something must have had read permission on the tables before. It is unlikely that each separate table has a unique user.
So the way to grant generic access through RODBC is to identify and use the correct user name and security database. How were the original tables created, by who, and from what?
Access 'workgroup security' works almost exactly the same was Windows security works. There are users and groups, which are associated with ID values. And there are permissions, which are associated with ID values, and if you have the correct workgroup file, you can associate permissions with users and groups.
The default user is called 'admin' and has a universal ID value. Any database object which is owned by the ID value can be used by anybody who has a copy of Access installed, because that ID value is universally always the default.
If you create another user, and use that user to create or take ownership of an object and remove the default permission given to the universal 'admin' user and universal 'admins' group and universal 'users' group, then the default user won't have read permission.
An 'admin' password by itself is worthless. The 'admin' user is universal, so you can just use a copy of a system workgroup where the 'admin' password is blank. If someone gives you an 'admin' password, it means either that the password is useless, or that the password is actually for something else (perhaps encryption), or that the password is for someone else - not the 'admin' user, but the other user used for object creation/ownership, for which you need to find the workgroup and username.
Access workgroup permissions work the same way as Windows Domain Permissions, but they are not the same thing. They are a completely separate system, devised before Windows had any form of security or authentication or permissions. The list of users is held in a table in a security database (by default, system.mdw). The list of groups is in a table in the same database/file. The list of users that is in each group is in the same database/file. And the ID values associated with each user and group in the same file.
By looking in the hidden system tables of an Access/Jet database, you can see the ID values associated with permissions for the tables and other objects. To match those ID values with names and groups and passwords, you must have the matching security database.
Is there an easy way to create a user and grant all privileges to all databases except a specific one?
I've tried this
CREATE USER 'demo'#'%' IDENTIFIED BY 'QbSv9qUj2EJ8mxm2';
GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%';
REVOKE ALL ON id8694160_sqless.* FROM 'demo'#'%'; -- this is the DB I don't want the user to have access to
SHOW GRANTS FOR 'demo'#'%';
But I get the following error:
Error Code: 1141. There is no such grant defined for user 'demo' on host '%'
Is this even possible?
According to the documentation:
Global privileges are granted using *.* for priv_level. Global privileges include privileges to administer the database and manage user accounts, as well as privileges for all tables, functions, and procedures. Global privileges are stored in the mysql.user table.
Database privileges are granted using db_name.* for priv_level, or using just * to use default database. Database privileges include privileges to create tables and functions, as well as privileges for all tables, functions, and procedures in the database. Database privileges are stored in the mysql.db table.
It means that the privileges you grant with GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%'; is represented by one row in the mysql.user table. Revoking privileges for only one database from these global privileges means removing the global privileges from the mysql.user table and add one database privilege for each database except the id8694160_sqless database, in the mysql.db table.
I'm quite sure the REVOKE statement does not do this but you can manually give privileges to all databases except one with a request such as :
INSERT INTO mysql.db
SELECT '%',schema_name,'demo','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'
FROM information_schema.schemata
WHERE NOT schema_name = 'mysql'
AND NOT schema_name = 'information_schema'
AND NOT schema_name = 'performance_schema'
AND NOT schema_name = 'id8694160_sqless';
FLUSH PRIVILEGES;
I need to know end date of role in Teradata. I know how I get create date
select * from dbc.rolemembers a
join dbc.allrights b
a.rolename=b.rolename
But I can't find where is the end of role. In Teradata Administrator I can't find it too. Please, can you help me?
Thank you
What you are trying to explain is an audit process for the creation of a role, the rights it was assigned and to whom the role was assigned. That is above and beyond the DCL statements to CREATE {role}, GRANT {access} TO {role}, REVOKE {access} FROM {role}, GRANT {role} TO {member}, REVOKE {role} FROM {member}, DROP {role}. It also falls outside the scope of Teradata Administrator or Teradata Studio to track that information.
If you have a security requirement that stipulates you need to track this level of detail, you can either piece it together from sufficient DBQL history or you can create a set of stored procedures that are used by your Security Administrator and/or DBA team to administer role based privileges and user administration.
Beyond that, you can also use Access Logging to track the successful or denied execution of CREATE/DROP USER, CREATE/DROP ROLE, and GRANT statements that are run outside the context of the stored procedures you have put in place to audit the administration of privileges in your environment.
I want to create a user/schema in oracle 11g and grant all privileges to the user. How can I do this with a simple script. I looked at the following links but I am not sure which one to use or if these statements are the best way.
http://ss64.com/ora/grant.html
Can you suggest how I may do this in the simplest possible way and securely ?
To create a new user you use the "create user" command. So a typical create user command would be :
create user test identified by test default tablespace mytbsp.
Of course you need to replace the values for the user, password and tablespace with different values. However I'd recommend that you have a look at Oracle's documentation http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_8003.htm.
The next step is to grant the user the corresponding rights. To give a user all the rights is a very bad approach as you would also give him dba privileges. What you instead is to give him connect privileges and the permissions to his default tablespace. Also it is better to use roles instead of granting the rights directly. So if you have to grant the rights again you only need to grant the role. First step is to create the role:
GRANT CREATE session, CREATE table, CREATE view,
CREATE procedure,CREATE synonym,
ALTER table, ALTER view, ALTER procedure,ALTER synonym,
DROP table, DROP view, DROP procedure,DROP synonym
TO MyRole;
This statement is not complete you might require additional rights (index maintenance for instance), but have a look at the online oracle documentation.
After that you grant the role to the newly created user.
GRANT myrole to test;
Create the user:
create user user_name identified by password ;
Grant the privileges:
grant all privilege to user_name;
If you want to view the number of privileges:
select * from system_privilege_map where neme like '%PRIV%';
If you want to view privileges assigned to the users:
select count (*) , grantee
from dba_sys_privs
where grantee in ('user1','user2')
group by grantee ;
I always wonder what are the exact access rights and permissions I need to give to a sql login which I use from my asp.net application to access database. The application execute some stored procedures which insert, update and delete data into tables. I do select, delete, update directly on the tables also. Also there are some triggers.
Wonder if there is a comprehensive list of the permission matrix to help.
Well, it depends on how complicated you want to make it :-)
Simplest solution:
make your login / db user have the db_datareader role to read all tables
make your login / db user have the db_datawriter role to write all tables
As for executing stored procs, what we did is create a new custom database role "db_executor" in our database like this:
CREATE ROLE [db_executor] AUTHORIZATION [dbo]
GRANT EXECUTE TO [db_executor]
and then we grant this role to the db user as well. This new custom database role will have execute rights on all existing AND on all future stored procs/funcs in your database.
With this, your db user can read and write any table and execute any stored proc and stored func.
More complex solution:
You can of course also GRANT permissions on individual tables, views, procs, funcs to inidividual db users and/or db roles. But it can get quite messy and complicated.
Marc