I am new to PostgreSQL and node. I am using knex.js library. I need to create roles and assigned it to each table I created in PostgreSQL. I am not sure how can I achieve it. Is it to be done at the time of table migration? Or can I do it after migration? And if so how can I do it?
As others has mentioned, you need to use knex.raw and raw SQL statements (in this case postgresql flavor). Knex doesn't have any special APIs supporting setting roles.
I have no experience with knex, but I suppose you can use
knex.raw('create user blah password 'blah-blah')
to create user. Of course your knex postgres user needs CREATE ROLE privs for it.
Assigning permissions on created tables to users might be done same way I suppose, eg:
knex.raw('grant select, update on table blah_blah to user blah')
this should not require any additional permissions for knex db user, as It creates tables and thus is the owner.
Related
I am developing a frontend with ANGULAR and backend with Node and Express. Is a simple backend for internal use in my company with a small quantity of users: 15-20. The backend connects to Mongodb. The mongo server is started with authentication and I can create users with built-in roles in mongo: read, write, etc.
But all the examples I found in tutorials usually creates a collection of users instead of using the mongodb built-in users.
As far I know, if use built-in mongo users I need to start a new connection for each user because the user and password is part of the Connection String URI
I have some doubts:
Is it a bad idea to use built-in users?
If I use built-in users. How to manage the logout of the user? I don't find examples.
"Users" in this context is usually connections to the database.
Lets say you have a database with data serving several applications. One which only has access to read the data, and another to write and update. You can make sure the read only app, wont write with 2 users of the database. Typically, you'll also have an admin user that has global all access for administrators.
When your coworkers wish to update some data through the second application. The application will authenticate to the database and write on their behalf. Whether or not someone has access to use the application to update data is not something the database should decide.
I hope this helps to understand the context of "user"
I am brand new to Azure so please bear with me ...
Using export tool in SSMS I managed to copy all of my tables from local database to Azure.
Now the most important part, adding users and mapping them to a database is unexplained.Also adding roles to database.Maybe it is explained but I sincerely dont understand a word of it. Seen some movies on YouTube but they mostly deal with database creation. SSMS is virtually useless for the Azure task (Or at least I do not know how). Also I can not find any tool on Azure dashboard to do it with.
So can someone to me explain in plain english the functionality of this stuff.
What I could fathom is that you need to add users first to the Master database. Ok, I add user with a query:
CREATE LOGIN USER1 WITH PASSWORD = 'AG123SAL#'
So the user is added to the Master database.
Now, how do I map this user to a certain database?
How do I set what he can do?
And how do I add roles to my database and add user to role ?
This is all very hard for a total newbie ...
You can use Contained user database model,instead of old model..The way to do this is to connect to database on which you are trying to provide access to a user and run
CREATE USER mary WITH PASSWORD = 'strong_password';
to provide permissions to this user
ALTER ROLE dbmanager ADD MEMBER Mary;
Microsoft recommends this model ,when using SQLAzure since this is database as a service..Below is a quote from microsoft on same
As Microsoft evolves the SQL Database service and moves towards higher guaranteed SLAs you may be required to switch to the contained database user model and database-scoped firewall rules to attain the higher availability SLA and higher max login rates for a given database. Microsoft encourage you to consider such changes today.
If you are looking for old model of login-user based heirarchy,you can read below
to create login:
create login mary with password='password'
Now to map user to database,you need to create user and map to that login.Login to the database ,you want to provide permissions and create user
create user marydb1 from login mary;
you also can assign roles as well
ALTER ROLE dbmanager ADD MEMBER Mary;
Updated as per comment :
create role
create role rolename AUTHORIZATION db_manager*;
*:this should be user has total permissions on the database..since we may use this as base
now add permissions to that role
grant select,update,delete to rolename;
now add users
ALTER ROLE rolename ADD MEMBER username;
Look at this sql server authentication with Azure SQL Database tutorial
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started
My application (C#, ASP.Net) needs to insert, update and delete data in the DB, and run stored procedures. I need to prevent it from modifying the DB schema - no altering tables, creating or dropping, no changes to stored procedures.
What permissions combination do I need to grant to the application user? Just 'select' isn't going to work, because it needs to insert/update/delete data in tables.
How do I check permissions and access for a particular login?
How do I grant or deny permissions and access for a login?
I need to give permissions to a new user (login) to access only one database.
Using SQL Server 2008 R2, with SSMS.
If you really want to control this at the object level, you can do:
GRANT SELECT,UPDATE,INSERT,DELETE ON dbo.table TO user;
At the schema level:
GRANT SELECT,UPDATE,INSERT,DELETE ON SCHEMA::dbo TO user;
Ideally, though, you would not allow ad hoc DML against your tables, and control all DML through stored procedures. In which case you just need to grant exec on the procedure itself, and not to the objects it touches:
GRANT EXEC ON dbo.procedure TO user;
Similarly if you want to allow exec on all procedures in a specific schema, you can say:
GRANT EXEC ON SCHEMA::dbo TO user;
The one exception is when your stored procedure composes dynamic SQL. In those cases you might still need to apply permissions to the underlying tables in the context of the dynamic SQL execution, or you may be able to use EXECUTE AS OWNER.
Background
We have a WinForms application with Entity Framework 4.2 code-first / FluentAPI using SQL Server 2008 R2.
The security is a custom implementation of IPrincipal and IIdentity with the roles for the user. These roles are checked when a Form/menu/button is displayed and it will be disabled/removed based on the user role.
Users are authenticated against the database so there is no "master" user for the connection: it's created using the username/password provided on the login screen.
So, access to data (general) is working.
The problem
But some cases might require me to disable access to a specific table or to a column inside the table.
Some tests have shown here that IGenericRepository.Find<MyCustomType>(_idToFind) (which returns the complete entity) will fail because there is no access to a single column and SQL server will prevent the whole select statement.
I've found, however, that create a query like
IGenericRepository.All<MyCustomType>().Select(_c => _c.JustASingleField)
will work because the generated query will look only for a specific field for which I have access.
Question
Is there a way for me to create queries that will be role-aware to the database?
For instance: Find<MyCustomType>(id) will return the object as usual but with the field that the user does not have access set to NULL or with no value?
Or I'll just have to write "generic" queries for every single item that does not require protection and rely on the security system to completely block access to a resource?
Another example would be to fill a grid but the column for which the user does not have access will be blank.
Is it possible at all using Entity Framework?
Is it possible at all using EntityFramework?
No. EF is not aware of security configuration on SQL server and it is not able to react to any security demands expected by SQL server except providing credentials for connection string.
If you require this type of security you should use database views providing only accessible items to specific role and let EF to use model mapping only views the user role has access to - it can result in quite big set of different "models" due to many roles.
I granted a user permission to create databases. They were able to create a database, which they now own, but they are getting errors when running a script to create the tables. I don't have a lot of information at this point (sorry!), so I can't diagnose it myself, but perhaps someone more experienced in database permissions could help.
I'm assuming they are using some built-in stored procedures and it's a some kind of permission issue. I assumed that if they can create/own a database, they can do whatever they want to it, but there must be something they don't have access to.
Any advise? Do I need to grant them permissions beyond "create database"? Is there some common/standard set of stored procedures they should have access to? Do they need access to "master" database?
"Owning" the database at the server level is different to being "db_owner" in the database
After creating the database, run this
CREATE USER foo FOR LOGIN foo
EXEC sp_addrolemember 'db_owner', 'foo'
See CREATE USER for more info
Edit: Relying on any owner to dbo mapping from CREATE DATABASE is unreliable: set permissions explicitly or use sp_changedbowner