I have an application using Oracle 9i as the database and I would like to grant update/delete/insert etc.. rights to only the session/connection used by this application.
I would like all other connections through excel, access, etc.. to be in a read-only state so it prevents the users from "accidentally" changing the data through these applications.
If I have all users start out with read-only rights then when they connect to this application, I would like to either call a specific stored procedure that would grant the user the proper rights only for that session though. Once they disconnect, the user would be back to read-only rights.
I have seen in other posts that you can add a trigger to the login so you can check if the connection is from application1.exe then you can do things or if they connect from 'excel.exe' you can stop them.
This is close to what I need to do but not quite.
My long worded question is "Can I grant rights to only a session/connection which would then allow that user the ability to update data based on a specific application running?"
Thank you for your patience in reading through this question.
Karl
create user A and grant him permissions to execute DML operations
create user B and grant only read permissions
Use user A inside your application
Use user B in Excel, access, etc
Related
I have an azure hosted SQL database per customer. The customer is set up as a contained user to their own database with the following permissions (ALTER, CONTROL, DELETE, EXECUTE, INSERT, SELECT, UPDATE, CONNECT, VIEW DATABASE STATE).
I don't mind the customer making any changes to their database schema, but is it possible to make any changes to the logical server or access any other databases on the same server? Is the main security risk the customer creating other users on their database?
https://learn.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-2017
Thanks in advance.
If your database user is not created base on a logical server login,you don't have the permission to access multiple databases.
Please reference:
Controlling and granting database access to SQL Database and SQL Data Warehouse
As the link you provid said:
Users in a contained database that have the ALTER ANY USER permission, such as members of the db_owner and db_securityadmin fixed database roles, can grant access to the database without the knowledge or permission or the SQL Server administrator. Granting users access to a contained database increases the potential attack surface area against the whole SQL Server instance.
When the customer is creating any other database users, please be very careful about granting users the ALTER ANY USER permission.
I tried to execute an INSERT statement for an RDF triple in Virtuoso using its web-based SPARQL endpoint (http://localhost:8890/sparql/):
INSERT DATA
{
GRAPH <http://my.graph>
{
<http://test.com/someid> <http://namespace.ref#someVar> 123
}
}
but I got
Virtuoso 42000 Error SR186:SECURITY: No permission to execute procedure DB.DBA.SPARQL_INSERT_DICT_CONTENT with user ID 107, group ID 107
I was able to run the same statement through my DB editor that uses a JDBC driver on port 1111, using the DBA login.
The web interface/service insert was successful after I ran the following as a DBA through port 1111:
grant execute on DB.DBA.SPARQL_INSERT_DICT_CONTENT to "SPARQL";
grant execute on DB.DBA.SPARQL_INSERT_DICT_CONTENT to SPARQL_UPDATE;
However, I would like to revoke those privileges from user SPARQL, which I understand is associated with the web interface, and send HTTP POST/PUT/DELETE requests with supplied user credentials using digest authentication. Is that possible and how? I went to this page of the manual but it was empty.
The OP's goal is discussed in the new location of the manual page they originally tried to visit. (More details are on the product site, than are reproduced below.)
Virtuoso reserves the path /sparql-auth/ for a SPARQL service supporting authenticated SPARUL (a/k/a SPARQL-Update). This endpoint allows specific SQL accounts to perform SPARUL over the SPARQL protocol. To be allowed to log in via SQL or ODBC and update physical triples, a user must be granted SPARQL_UPDATE privileges. To grant this role:
Go to the Virtuoso administration UI, i.e., http://host:port/conductor
Log in as user dba
Go to System Admin → User Accounts → Users
Click the Edit link
Set User type to SQL/ODBC Logins and WebDAV.
From the list of available Account Roles, select SPARQL_UPDATE and click the >> button to add it to the right-hand list.
Click the Save button.
This procedure, which I picked up here, worked for me:
Logged in as dba, under System Admin > User Accounts,
grant SPARQL_UPDATE to "SPARQL"
I have a user in CRM 2011 having System Administrator security role (image), when I use that user in my Web Service to retrieve Account entity this error comes up
Principal user (Id=927fbba4-d61a-e311-992b-000c295c9030, type=8) is missing
prvReadAccount privilege (Id=886b280c-6396-4d56-a0a3-2c1b0a50ceb0)
I found the issue:
Below is the work-around if some is having issue:
I We had assigned the user Administrator role:
Looking at different user fields in CRM I cam across:
Clien Access License (CAL) Information:
It was having values:
Access Mode : Administrative
License Type: Full
So I changed the Access Mode to :
Read-Write // Yahooooooooooooooo everything is working on the fly :)
Thanks for your time people.
The System Administrator role has all privileges on all records and this cannot be limited in any way.
I have two hypothesis(es?)
Your Web Service isn't actually operating under credentials of a user having the System Administrator role. This is the most probable explanation, you have to make sure your connection gets passed the correct username/password(/domain unless IFD).
Since you have an ID to check against, you can double check who that user is with a simple OData query:
[crm url]/XrmServices/2011/OrganizationData.svc/SystemUserSet(guid'927fbba4-d61a-e311-992b-000c295c9030')
Your CRM setup is messed up (highly unlikely unless you've been fiddling with the database, in that case odd errors and misbehaviors become a quite real possibility)
I granted a user permission to create databases. They were able to create a database, which they now own, but they are getting errors when running a script to create the tables. I don't have a lot of information at this point (sorry!), so I can't diagnose it myself, but perhaps someone more experienced in database permissions could help.
I'm assuming they are using some built-in stored procedures and it's a some kind of permission issue. I assumed that if they can create/own a database, they can do whatever they want to it, but there must be something they don't have access to.
Any advise? Do I need to grant them permissions beyond "create database"? Is there some common/standard set of stored procedures they should have access to? Do they need access to "master" database?
"Owning" the database at the server level is different to being "db_owner" in the database
After creating the database, run this
CREATE USER foo FOR LOGIN foo
EXEC sp_addrolemember 'db_owner', 'foo'
See CREATE USER for more info
Edit: Relying on any owner to dbo mapping from CREATE DATABASE is unreliable: set permissions explicitly or use sp_changedbowner
I'm trying to secure an MS Access 2003 mdb using the workgroup security. I've got most of it set up (using a new MDW etc), but I can't stop people creating new tables in the database, if they've got access to open it. Am I missing something?
None of the accounts have any permissions allowed, I'm doing it all through groups.
Users only have Open\Run access to the database, no access to <New Tables/Queries> and only "Read Data" access on all the other tables, including the MSys* tables.
Any thoughts or am I trying to do the impossible?
--Update--
I've tried using the wizard as suggested, but that still leaves me with the same problem. I created a blank database & ran the wizard on it. Assigned 2 users, Me & User, and removed all access to the standard groups. I added Me into the Admin group & User to the Read Only group.
Not using the MDW denies access, as expected. Logging in as Me allows full access (Design things, add data, delete data, etc), logging in as User will allow read data inexisting tables, but not add data or design them (as expected), but it will still allow creation of a new table, which User will then have full access to add, delete etc.
So, over a year after posting this question, I have another go at solving it, but his time with success!
I came across the Microsoft Accesss Permissions Explorer and this showed that the standard ways of securing the database, both manually and using the wizard still give the Users group explicit Create permsissions on the Tabes Container. This same software also allows the revoking of said permissions, so now I can have a fully secured database, where any user can access the mdb without using a special MDB, but they are only able to access and edit the data I want them to.
Can your users use the runtime version of msAccess? They will not have the ability to create any new Access object, such as table, query, form, etc.
And runtime version is free, so you'll also spare on licences!