I am coming over to MariaDB from MySQL, I created table level grants, but when I do it only gives:
I did the grants as follows:
Does MariaDB not show table level grants?
To get table-level privileges, you need a different syntax. For example:
GRANT SELECT, INSERT ON dbname.tablename TO user#localhost;
The following gives you database-level privs:
GRANT SELECT, INSERT ON dbname.* TO user#localhost;
(If your table is named ., that will be a nightmare.)
Both tablespaces are in the same DB so in Oracle SQL Developer, if I login to one tablespace tb1 i can see all the tables in tb2. Because of permissions I was unable to create the table tb2.new_table while logged into tb1. So I logged into tb2 and made tb2.new_table and can query it there. When I log back into tb1 I cannot see the newly created tb2.new_table. I'm just wondering why it's not showing up, I did commit after I made the new table.
My confusion comes as when I was logged into tb1 I was able to add a column to a table in tb2. Any ideas?
You can't log in to a tablespace. And you don't refer to a table by its tablespace (a table can exist in multiple tablespaces or in no tablespace). If you are referring to a table tb2.new_table, that implies that tb2 is the name of a schema, not a tablespace. Tablespaces have nothing to do with permissions, they are simply a collection of physical data files. Schemas do impact permissions.
It appears that you created a new table in schema2 but haven't given user1 permission to do anything with that table. Assuming that is the case, as user2 run the commant
grant select on new_table to user1
and then user1 should be able to
select * from user2.new_table
If you want user1 to be able to insert, update, and/or delete data in new_table, you'd need to grant those permissions as well, i.e.
grant insert, update, delete on new_table to user1
I tried to reduce the rights a database user has to the minimum needed. Doing so I noticed the following situation:
I have a database test and a user user with the following privileges:
GRANT SELECT, INSERT ON test.test TO 'user'#'%';
GRANT UPDATE (y) ON test.test TO 'user'#'%';
The test table (InnoDB) is defined as
create table test
x int null,
y int null
create unique index test_x_uindex on test (x);
I can run insert and update queries like
INSERT INTO test (x,y) VALUES (1,1), (2,2);
UPDATE test SET y = 3 WHERE x = 1;
But running
results in
ERROR 1143 (42000): UPDATE command denied to user 'sap'#'localhost' for column 'x' in table 'test'
The same happens if the statement wouldn't actually update something but just insert a new row.
This seems a little bit odd. I couldn't find a directly related bug report. Just something older for MySQL (Is closed but someone said that it is not actually fixed. I did not test it.). In the documentation of MySQL 8.0 the mention that update privileges are only needed for changed columns. The MariaDB documentation does not mention any privilege requirements.
Do I miss something?
This was all tested on MariaDB 10.2.16.
I am trying to grant admin, i.e. "monetdb" privileges to users, without any success so far (the privileges should extend to all the tables of the sys schema).
As I have a schema with many tables would be very complex to give explicit rights (e.g. SELECT ) to all the users mentioning all the tables: I need to find an efficient way to do this.
I log into MonetDB with SQLWorkbenchJ using the superuser monetdb.
I have also tried to directly send queries using R and the MonetDB.R package (with no difference).
I create a user associated to a schema (e.g. the sys schema) as
CREATE USER "user1" WITH PASSWORD 'user1' NAME 'user one' SCHEMA "sys";
Then I try to GRANT "monetdb" privileges to user1
GRANT monetdb TO "user1";
And I do not get any error.
If I log into MonetDb as user1 and try a simple select (on a pre-existing table of the sys schema) I get:
SELECT * FROM sys.departmentfunctionindex
SELECT: access denied for user1 to table 'sys.departmentfunctionindex'
Clearly I'm missing something.
Any suggestion is welcome.
I think I get it now.
The following works, using SQLWorkbenchJ I log into MonetDB as monetdb (superuser).
I run:
CREATE USER "user20" WITH PASSWORD 'user20' NAME 'user 20' SCHEMA "sys";
CREATE table "mschema"."mtestTable"(v1 int, v2 int);
INSERT INTO "mschema"."mtestTable" VALUES (4, 4);
GRANT monetdb to "user20"; -- this gives implicit superuser powers to user20 (but not for the "sys" schema)
Now I log out and login again as user "user20".
I run:
SET SCHEMA mschema; -- I was missing this before but it is essential
SET ROLE monetdb;
At this stage user20 has got all the authorisations of the superuser monetdb, e.g.:
SELECT * FROM "mschema"."mtestTable"; -- can use select
DROP TABLE "mschema"."mtestTable"; -- can use drop etc.
Thanks to #Hannes, #Ying & #Dimitar
Here is an working example for granting SELECT privileges to a separate user with MonetDB:
as admin (e.g. monetdbaccount)
CREATE SCHEMA "somedataschema";
CREATE TABLE "somedataschema"."somepersistenttable" (i INTEGER);
INSERT INTO "somedataschema"."somepersistenttable" VALUES (42);
CREATE USER "someuser" WITH PASSWORD 'someuserpass' NAME 'someusername' SCHEMA "sys";
GRANT SELECT ON "somedataschema"."somepersistenttable" TO "someuser";
CREATE SCHEMA "someuserschema" AUTHORIZATION "someuser";
ALTER USER "someuser" SET SCHEMA "someuserschema";
Now, someuser can SELECT from somepersistenttable, but not modify it. Should this user need a table on its own, someuserschema or temporary tables (deleted when user logs out) could be used. Hence, this works:
SELECT * FROM "somedataschema"."somepersistenttable";
CREATE TABLE "someuserschema"."sometemptable" (i integer);
INSERT INTO "someuserschema"."sometemptable" VALUES (84);
SELECT * FROM "sometemptable";
INSERT INTO "sometemptable" VALUES (42);
SELECT * FROM "sometemptable";
And this will produce an insufficient privileges error (same for update, drop, alter etc.):
INSERT INTO "somedataschema"."somepersistenttable" VALUES (43);
Please have a look at this MonetDB bug report. Grant privilege works for user created schemas, but the bug-fix seems not cover the default "sys" schema.
No, you don't have to explicitly grant access to each individual tables. You can still use GRANT monetdb to "user1". See my previous answer, for now, you just need to create your tables under a user created schema. I just tried it in the "default" branch of MonetDB.
An Oracle DB user has SELECT permission on all the tables of a DB schema. Can i restrict the user to view the table data.The user should be able to select the table but should not be able to see the data.
This specific requirement is required for user who reviews DB design and generates ALTER script for DB using Oracle Data Modeler 3.3 where he can just see the table design and can compare it with ERD
Can i achieve it using FGAC or RLS?
You can achieve this by granting only references
GRANT references ON schema_a.table TO erd_user;
the erd_user can then use
DESC schema_a.table
to get a definition but not select any data.
This might be preferred to giving the SELECT CATALOGUE where they can see a lot more information that you might like.
In oracle 11G, I want to drop a user PERMANENTLY, ie no trace of that user should remain and I should not get "existing object" errors like this - ORA-00955: name is already used by an existing object, when I try to recreate that User with its tables.
Please help me to do this.
Commands to create user with table and columns
CREATE USER Products identified by discounted
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
The above is followed by,
Commands to drop user completely and re-create it completely
CREATE USER Products identified by discounted
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
Causes the exception-
java.sql.SQLSyntaxErrorException: ORA-00955: name is already used by an existing object
You didn't say what user you were logging in as, but I'll assume it's SYS or someone with pretty much godlike privileges.
In your last line, you are creating table CARS in the current schema, not in the products schema. What you probably want is:
CREATE TABLE products.cars(brand varchar2(25), model varchar2(25));
The cars table probably still exists in the current schema from your previous attempt. You can tell if it exists anywhere with this:
SELECT owner, object_name, object_type FROM all_objects WHERE object_name = 'CARS';
As a side note, it's not really a good idea to grant all privileges to a normal user, but I assume this is for testing procedures. Also, it's preferred to use VARCHAR2 instead of VARCHAR.
Your question is way too generic. Based on what I understood, if you use following script, you can drop all objects created by the user -
drop user USERNAME cascade;
And for this to execute successfully you should not have an open connection for this user.