Is there an easy way to create a user and grant all privileges to all databases except a specific one?
I've tried this
CREATE USER 'demo'#'%' IDENTIFIED BY 'QbSv9qUj2EJ8mxm2';
GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%';
REVOKE ALL ON id8694160_sqless.* FROM 'demo'#'%'; -- this is the DB I don't want the user to have access to
SHOW GRANTS FOR 'demo'#'%';
But I get the following error:
Error Code: 1141. There is no such grant defined for user 'demo' on host '%'
Is this even possible?
According to the documentation:
Global privileges are granted using *.* for priv_level. Global privileges include privileges to administer the database and manage user accounts, as well as privileges for all tables, functions, and procedures. Global privileges are stored in the mysql.user table.
Database privileges are granted using db_name.* for priv_level, or using just * to use default database. Database privileges include privileges to create tables and functions, as well as privileges for all tables, functions, and procedures in the database. Database privileges are stored in the mysql.db table.
It means that the privileges you grant with GRANT ALL PRIVILEGES ON *.* TO 'demo'#'%'; is represented by one row in the mysql.user table. Revoking privileges for only one database from these global privileges means removing the global privileges from the mysql.user table and add one database privilege for each database except the id8694160_sqless database, in the mysql.db table.
I'm quite sure the REVOKE statement does not do this but you can manually give privileges to all databases except one with a request such as :
INSERT INTO mysql.db
SELECT '%',schema_name,'demo','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y'
FROM information_schema.schemata
WHERE NOT schema_name = 'mysql'
AND NOT schema_name = 'information_schema'
AND NOT schema_name = 'performance_schema'
AND NOT schema_name = 'id8694160_sqless';
FLUSH PRIVILEGES;
Related
I am triyng to run this script on schema 1:
GRANT CREATE ANY TABLE TO schema2;
GRANT INSERT ANY TABLE TO schema2;
but I get this error :
GRANT CREATE ANY TABLE TO schema2
Error at line 1
ORA-01031: Nicht ausreichende Berechtigungen
what should I do now?
ORA-01031: insufficient privileges means that the user you are connected as doesn't have privileges to perform the action you are attempting to do. So in this case SCHEMA1 doesn't have the privileges to GRANT CREATE ANY TABLE to any schema.
If you connect as SYS, SYSTEM, or another privileged user, you can then run the grant GRANT CREATE ANY TABLE TO SCHEMA1 WITH ADMIN OPTION;. Then if you connect to SCHEMA1, you should then be able to run GRANT CREATE ANY TABLE TO schema2;. The same procedure will need to be done for the INSERT ANY TABLE privilege.
I am running Oracle 11.g and the id I am using has DBA role (full access supposedly).
When I tried to create a table under another schema, it works fine. However, when I tried to create a table with organization index, I was prompted
ORA-01950: no privileges on tablespace
I double checked my id has unlimited tablespace. My ID and the targeted schema are both in the same tablespace.
Supplemental info: I am able to run the same creat table statement w/ organization index under my own schema.
Creating objects may require two privileges: your user needs privileges to create the objects, and the schema owner needs privileges to use resources related to that object. So while you have the ability to create a table in another schema, that schema also needs the privileges to write data to the related tablespaces:
alter user $username quota unlimited on $tablespace;
This approach is safer than granting the UNLIMITED TABLESPACE role. That role grants more than necessary, and if someone later tries to cleanup the privileges, revoking that role also undoes individual privileges, as described in this article.
I granted the targeted schedma unlimited tablespace and it's resolved.
I want to create a user/schema in oracle 11g and grant all privileges to the user. How can I do this with a simple script. I looked at the following links but I am not sure which one to use or if these statements are the best way.
http://ss64.com/ora/grant.html
Can you suggest how I may do this in the simplest possible way and securely ?
To create a new user you use the "create user" command. So a typical create user command would be :
create user test identified by test default tablespace mytbsp.
Of course you need to replace the values for the user, password and tablespace with different values. However I'd recommend that you have a look at Oracle's documentation http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_8003.htm.
The next step is to grant the user the corresponding rights. To give a user all the rights is a very bad approach as you would also give him dba privileges. What you instead is to give him connect privileges and the permissions to his default tablespace. Also it is better to use roles instead of granting the rights directly. So if you have to grant the rights again you only need to grant the role. First step is to create the role:
GRANT CREATE session, CREATE table, CREATE view,
CREATE procedure,CREATE synonym,
ALTER table, ALTER view, ALTER procedure,ALTER synonym,
DROP table, DROP view, DROP procedure,DROP synonym
TO MyRole;
This statement is not complete you might require additional rights (index maintenance for instance), but have a look at the online oracle documentation.
After that you grant the role to the newly created user.
GRANT myrole to test;
Create the user:
create user user_name identified by password ;
Grant the privileges:
grant all privilege to user_name;
If you want to view the number of privileges:
select * from system_privilege_map where neme like '%PRIV%';
If you want to view privileges assigned to the users:
select count (*) , grantee
from dba_sys_privs
where grantee in ('user1','user2')
group by grantee ;
My webapp needs to read, write (INSERT, UPDATE, DELETE), and execute stored procedures on a SQL 2008 database with five schemas.
I created a user that authenticates through SQL, and granted the user db_datareader, db_datawriter, and db_procedureexec through Security -> Logins -> (Username) Properties -> User Mappings. I then configured the app to connect to the database using the username and the proper password, but upon attempting to execute a stored procedure, got this error:
The EXECUTE permission was denied on the object '(stored procedure name)', database '(new database)', schema '(schema 1)'.
Finding this user in the Security section of the database, I made it the owner of the five schemas in the DB.
Did I grant too many privileges? Should an application-level user be a schema owner in order to read, write, and exec procedures?
No, an app user should not need to be a schema owner in order to read, write and exec procedures.
You can say things like:
GRANT EXEC ON SCHEMA::whatever TO [user];
This will allow them to execute procedures in the [whatever] schema. In order to not require transitive privileges (e.g. say your procedures execute dynamic SQL), you can consider setting them to EXECUTE AS OWNER.
You don't want to grant an application user ownership of a database. This essentially gives them cart blanche. What you should do is to grant db_datareader and db_datawriter roles to the user, and grant execute on all applicable stored procedures and functions.
I am using oracle 10g. I have a database user TDM_DD which executes a procedure in which it creates a schema/user and tables in it. While doing so I have to grant 'UNLIMITED TABLESPACE' privilege to the newly created schema. However I am getting error "ORA-01031: insufficient privileges" Need help!!
You can only grant the UNLIMITED TABLESPACE privilege as a user that is allowed to grant it, such as the SYSTEM user. You will need to give your TDM_DD user the privileges to be able to have it grant the UNLIMITED TABLESPACE privilege to someone else.