I am trying to grant admin, i.e. "monetdb" privileges to users, without any success so far (the privileges should extend to all the tables of the sys schema).
As I have a schema with many tables would be very complex to give explicit rights (e.g. SELECT ) to all the users mentioning all the tables: I need to find an efficient way to do this.
I log into MonetDB with SQLWorkbenchJ using the superuser monetdb.
I have also tried to directly send queries using R and the MonetDB.R package (with no difference).
I create a user associated to a schema (e.g. the sys schema) as
CREATE USER "user1" WITH PASSWORD 'user1' NAME 'user one' SCHEMA "sys";
Then I try to GRANT "monetdb" privileges to user1
GRANT monetdb TO "user1";
And I do not get any error.
If I log into MonetDb as user1 and try a simple select (on a pre-existing table of the sys schema) I get:
SELECT * FROM sys.departmentfunctionindex
SELECT: access denied for user1 to table 'sys.departmentfunctionindex'
Clearly I'm missing something.
Any suggestion is welcome.
I think I get it now.
The following works, using SQLWorkbenchJ I log into MonetDB as monetdb (superuser).
I run:
CREATE USER "user20" WITH PASSWORD 'user20' NAME 'user 20' SCHEMA "sys";
CREATE SCHEMA "mschema" AUTHORIZATION "monetdb";
CREATE table "mschema"."mtestTable"(v1 int, v2 int);
INSERT INTO "mschema"."mtestTable" VALUES (4, 4);
GRANT monetdb to "user20"; -- this gives implicit superuser powers to user20 (but not for the "sys" schema)
Now I log out and login again as user "user20".
I run:
SET SCHEMA mschema; -- I was missing this before but it is essential
SET ROLE monetdb;
At this stage user20 has got all the authorisations of the superuser monetdb, e.g.:
SELECT * FROM "mschema"."mtestTable"; -- can use select
DROP TABLE "mschema"."mtestTable"; -- can use drop etc.
Thanks to #Hannes, #Ying & #Dimitar
Here is an working example for granting SELECT privileges to a separate user with MonetDB:
as admin (e.g. monetdbaccount)
CREATE SCHEMA "somedataschema";
CREATE TABLE "somedataschema"."somepersistenttable" (i INTEGER);
INSERT INTO "somedataschema"."somepersistenttable" VALUES (42);
CREATE USER "someuser" WITH PASSWORD 'someuserpass' NAME 'someusername' SCHEMA "sys";
GRANT SELECT ON "somedataschema"."somepersistenttable" TO "someuser";
CREATE SCHEMA "someuserschema" AUTHORIZATION "someuser";
ALTER USER "someuser" SET SCHEMA "someuserschema";
Now, someuser can SELECT from somepersistenttable, but not modify it. Should this user need a table on its own, someuserschema or temporary tables (deleted when user logs out) could be used. Hence, this works:
SELECT * FROM "somedataschema"."somepersistenttable";
CREATE TABLE "someuserschema"."sometemptable" (i integer);
INSERT INTO "someuserschema"."sometemptable" VALUES (84);
SELECT * FROM "sometemptable";
CREATE TEMPORARY TABLE "sometemptable" (i INTEGER) ON COMMIT PRESERVE ROWS;
INSERT INTO "sometemptable" VALUES (42);
SELECT * FROM "sometemptable";
And this will produce an insufficient privileges error (same for update, drop, alter etc.):
INSERT INTO "somedataschema"."somepersistenttable" VALUES (43);
Please have a look at this MonetDB bug report. Grant privilege works for user created schemas, but the bug-fix seems not cover the default "sys" schema.
No, you don't have to explicitly grant access to each individual tables. You can still use GRANT monetdb to "user1". See my previous answer, for now, you just need to create your tables under a user created schema. I just tried it in the "default" branch of MonetDB.
Related
I am using the query band so the user can connect through the proxy user to the data pool in Teradata. Proxy users have full access to the table. How can I force the external users to see the selective columns? This is my query:
SET QUERY_BAND='PROXYUSER=TheAdmin; PROXYROLE=RoleOne;' FOR TRANSACTION;
SELECT Employee_Id, First_name, Last_Name FROM Project.myTest;
This query works, but the problem is if the external user use SELECT * FROM Project.myTest;
It returns the whole table. I want that user should not be able to see all the columns.
I don't want to use the view as I have a big DB and there I have to create so many views in each table.
Is there any way to do that? Will be great help and thanks in advance.
Both tablespaces are in the same DB so in Oracle SQL Developer, if I login to one tablespace tb1 i can see all the tables in tb2. Because of permissions I was unable to create the table tb2.new_table while logged into tb1. So I logged into tb2 and made tb2.new_table and can query it there. When I log back into tb1 I cannot see the newly created tb2.new_table. I'm just wondering why it's not showing up, I did commit after I made the new table.
My confusion comes as when I was logged into tb1 I was able to add a column to a table in tb2. Any ideas?
You can't log in to a tablespace. And you don't refer to a table by its tablespace (a table can exist in multiple tablespaces or in no tablespace). If you are referring to a table tb2.new_table, that implies that tb2 is the name of a schema, not a tablespace. Tablespaces have nothing to do with permissions, they are simply a collection of physical data files. Schemas do impact permissions.
It appears that you created a new table in schema2 but haven't given user1 permission to do anything with that table. Assuming that is the case, as user2 run the commant
grant select on new_table to user1
and then user1 should be able to
select * from user2.new_table
If you want user1 to be able to insert, update, and/or delete data in new_table, you'd need to grant those permissions as well, i.e.
grant insert, update, delete on new_table to user1
An Oracle DB user has SELECT permission on all the tables of a DB schema. Can i restrict the user to view the table data.The user should be able to select the table but should not be able to see the data.
This specific requirement is required for user who reviews DB design and generates ALTER script for DB using Oracle Data Modeler 3.3 where he can just see the table design and can compare it with ERD
Can i achieve it using FGAC or RLS?
You can achieve this by granting only references
GRANT references ON schema_a.table TO erd_user;
the erd_user can then use
DESC schema_a.table
to get a definition but not select any data.
This might be preferred to giving the SELECT CATALOGUE where they can see a lot more information that you might like.
In oracle 11G, I want to drop a user PERMANENTLY, ie no trace of that user should remain and I should not get "existing object" errors like this - ORA-00955: name is already used by an existing object, when I try to recreate that User with its tables.
Please help me to do this.
Thanks.
EDIT -
Commands to create user with table and columns
CREATE USER Products identified by discounted
GRANT ALL PRIVILEGES TO Products
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
The above is followed by,
Commands to drop user completely and re-create it completely
DROP USER PRODUCTS CASCADE
CREATE USER Products identified by discounted
GRANT ALL PRIVILEGES TO Products
CREATE TABLE Cars(Brand varchar(25),Model varchar(25))
Causes the exception-
java.sql.SQLSyntaxErrorException: ORA-00955: name is already used by an existing object
You didn't say what user you were logging in as, but I'll assume it's SYS or someone with pretty much godlike privileges.
In your last line, you are creating table CARS in the current schema, not in the products schema. What you probably want is:
CREATE TABLE products.cars(brand varchar2(25), model varchar2(25));
The cars table probably still exists in the current schema from your previous attempt. You can tell if it exists anywhere with this:
SELECT owner, object_name, object_type FROM all_objects WHERE object_name = 'CARS';
As a side note, it's not really a good idea to grant all privileges to a normal user, but I assume this is for testing procedures. Also, it's preferred to use VARCHAR2 instead of VARCHAR.
Your question is way too generic. Based on what I understood, if you use following script, you can drop all objects created by the user -
drop user USERNAME cascade;
Documentation
And for this to execute successfully you should not have an open connection for this user.
Can we create multiple schemas for a particular user? I am currently logged in as X/Y user and when I tried creating a schema using create schema authorization sample_schema, I got the error the schema name is missing or is incorrect in an authorization clause of a create schema statement. I do know that a default schema X would have been created.
CREATE SCHEMA in Oracle does - contrary to its name - not create a new schema.
It is merely a shorthand to create several tables in a single statement.
Quote from the manual:
Use the CREATE SCHEMA statement to create multiple tables and views and perform multiple grants in your own schema in a single transaction
and further down the explanation on what the "schema" name parameter is:
The schema name must be the same as your Oracle Database username.
Well you could create a user named sample_schema (From the above example) and give user X/Y permission to use sample_schema tablespace.