Kindly help me with SQL statement which can list the users and the role assigned to them in Sybase DB.
Need to capture users\roles who have following authorisations:
ALTER ANY TABLE
CREATE ANY TABLE
DELETE ANY TABLE
DROP ANY TABLE
GRANT ANY ROLE
UPDATE ANY TABLE
DROP ANY ROLE
GRANT ANY OBJECT PRIVILEDGE
GRANT ANY PRIVILEDGE
ALTER USER
ALTER PROFILE
ALTER DATABASE
BECOME USER
CREATE ANY RULE
DROP USER
Related
I have a successful connection from Azure data Factory to my Azure Sql db .And I have set the AAD Admin as myself and also the UserManagedIdentity from the portal.
Now whoever use that UserManagedidentity in ADF can access the entire Sql DB.I need to restrict the access at Schema level, like X people should have access to X tables and Y people should have access to Y Tables.
So how can we achieve this through usermangedIdentity ,Can we set Schema level permissions via usermanagedidentity?
The managed identity has a corresponding user in SQL, so limit their permissions are you would any other user or group.
i.e.:
GRANT SELECT ON Employees TO UserManagedIdentity;
Admin overrides all other restrictions. So as long as a user is part of Server admin, he/she can have the entire access.
For your use case, you would need to remove the managed identity from the admin group DL, create a new user within the database and grant the new user required access
I have below questions about schema/privilege:
May User have multiple DB roles(schema)?
What is db_denydatareader used for? (it seems can have different DB roles among databases, right?)
What are difference between db_datareader and db_denydatawriter if only want user to read data in particular database?
I tried to revoke SELECT right from schema (TestUser is with default schema db_datareader), why can it still search for tables?
REVOKE SELECT ON SCHEMA::db_datareader TO TestUser;
How can I grant select and update permissions to few tables only to user but not all tables? (i.e. no delete and insert permissions)
What are these system privileges referring to as I could not find in sys.objects table?
select * from sys.database_permissions where major_id <= 0;
Thanks.
It seems you think schemas and roles are the same but they are not the same. Roles are security membership containers, a principal can be member of a role. Schemas contain database schema bound objects, they help to group database objects together, and are owned by a principal. When you create a new user you can choose his default schema, add him to certain roles, and grant him ownership of schemas.
Members of the db_denydatareader fixed database role cannot read any data in the user tables within a database.
About the difference between db_datareader and db_denydatawriter. The db_datareader grants select permissions on all tables, and It does not affect any insert, update, delete permissions. Meanwhile db_denydatawriter denies insert, update and delete permissions on all tables, it denies permission to do any changes to any table. Even if someone was granted insert permissions directly they would still not be able to insert, because deny overrules grant. Assigning a user to the db_denydatawriter role means that they will never be able to make any changes to the database, regardless of what other permissions they have. Deny takes precedence over grant.
About question #4, you can group tables on schemas and then DENY SELECT permission over the schema to a principal or user. db_datareader is a fixed database role and it is not a schema.
DENY SELECT ON schema::[SchemaName] TO [user_name]
Similarly you can grant SELECT and UPDATE permissions over an schema on the database, that contains a group of tables.
GRANT SELECT, UPDATE on SCHEMA::SchemaName TO [user_name]
You can find the list of database roles here.
Small question about Cassandra 3.0.8. Not datastax.
is it possible to grant/revoke permissions for users, who use sstableloader? For now, user only authenticate in Cassandra and can update any table...
There is no specific authentication for just sstableloader. However you can
Create separate set of users/roles for each and every table within the keyspace.
In other words, there could be different users with different set of permissions on each and every table.
Here is an example on how to create user and define permission at table level
GRANT SELECT PERMISSIONS ON keyspace1.table1 TO USER1;
GRANT MODIFY PERMISSIONS ON keyspace1.table2 TO USER1;
So in the above example USER1 has select permission on table1 while update permission on table2. So you can authorize who gets to have update access on table1 but not if it comes from sstableloader or cql or application code.
Here is the reference for roles and permissions https://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html
I have created new user 'testUser' in Dynamics GP company lets say 'TWO', there is another database on same server which is a non GP company database lets say 'TEST'. There are few tables in TEST db which I need to read on my some Dynamics GP form. I have created a view in database 'TWO' to read records from this table.
create view TestView
as
select description from TEST..table1
GO
But when accessing this view in GP form I am getting permission error for my user testUser.
I went to SQL server and mark database 'TEST' for user testUser.
After that I get select permission message on view TestView.
after running
grant select, insert, update, delete on TestView to testUser.
I got no more issues. But is there any query by using which I will give permission to users whenever new user will be created in Dynamics GP?
You should grant the permissions to the DYNGRP role on the database.
grant select, insert, update, delete on TestView to DYNGRP.
This should give all gp Users those permissions. Any User created afterward will have those permissions.
My application (C#, ASP.Net) needs to insert, update and delete data in the DB, and run stored procedures. I need to prevent it from modifying the DB schema - no altering tables, creating or dropping, no changes to stored procedures.
What permissions combination do I need to grant to the application user? Just 'select' isn't going to work, because it needs to insert/update/delete data in tables.
How do I check permissions and access for a particular login?
How do I grant or deny permissions and access for a login?
I need to give permissions to a new user (login) to access only one database.
Using SQL Server 2008 R2, with SSMS.
If you really want to control this at the object level, you can do:
GRANT SELECT,UPDATE,INSERT,DELETE ON dbo.table TO user;
At the schema level:
GRANT SELECT,UPDATE,INSERT,DELETE ON SCHEMA::dbo TO user;
Ideally, though, you would not allow ad hoc DML against your tables, and control all DML through stored procedures. In which case you just need to grant exec on the procedure itself, and not to the objects it touches:
GRANT EXEC ON dbo.procedure TO user;
Similarly if you want to allow exec on all procedures in a specific schema, you can say:
GRANT EXEC ON SCHEMA::dbo TO user;
The one exception is when your stored procedure composes dynamic SQL. In those cases you might still need to apply permissions to the underlying tables in the context of the dynamic SQL execution, or you may be able to use EXECUTE AS OWNER.