I need to know end date of role in Teradata. I know how I get create date
select * from dbc.rolemembers a
join dbc.allrights b
a.rolename=b.rolename
But I can't find where is the end of role. In Teradata Administrator I can't find it too. Please, can you help me?
Thank you
What you are trying to explain is an audit process for the creation of a role, the rights it was assigned and to whom the role was assigned. That is above and beyond the DCL statements to CREATE {role}, GRANT {access} TO {role}, REVOKE {access} FROM {role}, GRANT {role} TO {member}, REVOKE {role} FROM {member}, DROP {role}. It also falls outside the scope of Teradata Administrator or Teradata Studio to track that information.
If you have a security requirement that stipulates you need to track this level of detail, you can either piece it together from sufficient DBQL history or you can create a set of stored procedures that are used by your Security Administrator and/or DBA team to administer role based privileges and user administration.
Beyond that, you can also use Access Logging to track the successful or denied execution of CREATE/DROP USER, CREATE/DROP ROLE, and GRANT statements that are run outside the context of the stored procedures you have put in place to audit the administration of privileges in your environment.
Related
I am running Oracle 11.g and the id I am using has DBA role (full access supposedly).
When I tried to create a table under another schema, it works fine. However, when I tried to create a table with organization index, I was prompted
ORA-01950: no privileges on tablespace
I double checked my id has unlimited tablespace. My ID and the targeted schema are both in the same tablespace.
Supplemental info: I am able to run the same creat table statement w/ organization index under my own schema.
Creating objects may require two privileges: your user needs privileges to create the objects, and the schema owner needs privileges to use resources related to that object. So while you have the ability to create a table in another schema, that schema also needs the privileges to write data to the related tablespaces:
alter user $username quota unlimited on $tablespace;
This approach is safer than granting the UNLIMITED TABLESPACE role. That role grants more than necessary, and if someone later tries to cleanup the privileges, revoking that role also undoes individual privileges, as described in this article.
I granted the targeted schedma unlimited tablespace and it's resolved.
I want to create an application about one user select other users and define there privileges, but this user don't be a Administrator or "dba". A sentence as:
GRANT GRANT TO BIG_USER;
The "Big User" have many privileges, another users the same or less.
Thanks
If you want to grant all grant that have been given to a user to some other users at first you should get that user grants then for each user write a script to give that grant. the following tables show the grant for each user
USER_SYS_PRIVS, USER_TAB_PRIVS, USER_ROLE_PRIVS tables
write a query to get privileges and then give them to other users
Oracle's permission system allows a bit of granularity regarding what you can allow this user to grant.
For objects (tables, etc) you have to either be a dba, the object owner, or have permissions granted with the grant option. So the following should work:
GRANT ALL PRIVILEGES ON mytable TO WITH GRANT OPTION;
You would have to repeat this on every table the user needs to be able to manage permissions on.
This answer is assuming you are looking at permissions on objects (tables etc) rather than system privileges.
I want to create a user/schema in oracle 11g and grant all privileges to the user. How can I do this with a simple script. I looked at the following links but I am not sure which one to use or if these statements are the best way.
http://ss64.com/ora/grant.html
Can you suggest how I may do this in the simplest possible way and securely ?
To create a new user you use the "create user" command. So a typical create user command would be :
create user test identified by test default tablespace mytbsp.
Of course you need to replace the values for the user, password and tablespace with different values. However I'd recommend that you have a look at Oracle's documentation http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_8003.htm.
The next step is to grant the user the corresponding rights. To give a user all the rights is a very bad approach as you would also give him dba privileges. What you instead is to give him connect privileges and the permissions to his default tablespace. Also it is better to use roles instead of granting the rights directly. So if you have to grant the rights again you only need to grant the role. First step is to create the role:
GRANT CREATE session, CREATE table, CREATE view,
CREATE procedure,CREATE synonym,
ALTER table, ALTER view, ALTER procedure,ALTER synonym,
DROP table, DROP view, DROP procedure,DROP synonym
TO MyRole;
This statement is not complete you might require additional rights (index maintenance for instance), but have a look at the online oracle documentation.
After that you grant the role to the newly created user.
GRANT myrole to test;
Create the user:
create user user_name identified by password ;
Grant the privileges:
grant all privilege to user_name;
If you want to view the number of privileges:
select * from system_privilege_map where neme like '%PRIV%';
If you want to view privileges assigned to the users:
select count (*) , grantee
from dba_sys_privs
where grantee in ('user1','user2')
group by grantee ;
I use asp.net 4 C# and entity framework 4 with MS SQL 2008. I'm trying to set up my web application locally using IIS 7.
For my website I user Asp membership provider which has installed different tables and sprocs in my db (aspnet_).
Running the script we receive this error:
The EXECUTE permission was denied on the object 'aspnet_CheckSchemaVersion', database 'XXX', schema 'dbo'. at System.Data.SqlClient.SqlConnection.OnError
How can I solve the problem?
There should be some db roles related to the membership tables, eg aspnet_profile_fullaccess. Make sure the account you're using is a member of the appropriate role.
You should NOT assign the user you connect to the DB as dbowner privilege. The account should have only the rights it needs & nothing more. If you grant dbo & someone were to exploit a flaw in your website they would have full uncontrolled access to your entire db to what they wanted - delete tables, change data at will.
I don't think you should make the user the db_owner. I had the same problem, and it was sufficient to grand the 4 roles with BasicAccess to my user + to give him EXECUTE permission on all stored proc:
GRANT EXECUTE TO [theUserName];
I know this is not ideal. One should grant EXECUTE permissions only on the required stored proc, but if you need a quick solution until you find which SP's your user needs to be able to execute, this should work.
The problem is that the User ID the application is logging in with doesn't have enough privileges in the database. It either needs to be the database owner or be granted permissions on all the aspnet_ stored procedures.
So please check the permissions in SQL server 2008 for this particular user. and if possible make this user as a dbowner.
Hope this helps...
Edit : i wanted you to make it as dbowner just to verify that there are some permission issues,once you are sure about the problem, you can assign permissions to that user. hence knowing the exact cause and the exact solution.
I agree that one can test by adding the db_owner role to verify the permission error. But should be reminded with all urgency to test only and be sure to remove the role.
Right click on the Login User >> select properties >> then User Mapping.
Looking at the SQL error provided, you can surmise this is the issue based on "Execute Permission was denied". After using db_owner role as a test and confirmation, one can then look at the various SQL statements to see what stored procedures are getting called. For example consider the following
SQL As String = "EXEC [EAC].[myStoredProcedure] " etc . . . "
After you find out the various stored procedures used by the application, you can then grant execute on those specific executes. For example, considering the following SQL.
USE DATABASE
GRANT EXECUTE ON OBJECT::EAC.myStoredProcedure
TO myRoleorUser;
Note that the EAC.myStoredProcedure mentioned in the code is found when expanding the database and then Programmability and then expand Stored Procedures.
Here is the Microsoft KB for further help on targeting the specific stored procedures on SQL server.
https://learn.microsoft.com/en-us/sql/relational-databases/stored-procedures/grant-permissions-on-a-stored-procedure?view=sql-server-2017
My ASP.NET application is Membership enabled and users with Administration Role can create other user with different roles.
Is there an way that i can maintain an audit log of user creation, so i can keep a track that which Administrator created which user.
Thanks in advance.
Sure the framework uses a stored procedure (forget the exact name, but it's named appropriately). In that proc, add an insert to insert an audit record.