I requested a dataset from snowflake marketplace which got created as a shared database in my account. Now from my account, I created a reader account. I wanted to share the shared database with the reader account by running the below. I knew it will not work, but wanted to take a chance:)
grant usage on database COVID19_EPIDEMIOLOGICAL_DATA to share reader_acct_share;
But my question is, if I want to share a shared database, is my only option to create another database from the share and then share it. In that case,I will also have to create a scheduled process to synchronize between the shared database and the database created from it. Is my understanding correct or is there another way to do this?
Thanks
Shared databases and all the objects in the database cannot be forwarded (i.e. re-shared with other accounts).
https://docs.snowflake.com/en/user-guide/data-share-consumers#general-limitations-for-shared-databases
The following actions are not supported:
Creating a clone of a shared database or any schemas/tables in the database.
Yes , you are right , you can't share shared-database through share object to reader account, the approach is create new local database , materialize the objects such as tables into this new local database and create share out of this local database.
Ignoring my moral compass:
You might be able to use a secure materialized view select * from shared_with_me and share the "secured view" as those are sharable.
But if this works, I would suggest it's a bug in the security model, that need fixing. If someone X shares with you Y, they have shared with you not Z. If X want Z they can share with them as well. Thus there is zero reason for you to reshare.
And it's a possible violation of so many GDPR like things.
Related
We plan to have users all over the world who will access our web application. But our database is located in US-West. We want the same database in Mumbai. We did create a read-replica, but it's pointless if we need to execute write scripts there right?
How do companies solve this scenario? How do companies allow two databases to exist across regions where they both synchronize their data for reading and write access? I basically want a master-master relationship. Not a master-slave.
Thanks.
I know that this is most probably not possible. But I will still detail my problem here, and if anyone has something similar to what I need, that would be great.
I have a file validation system which is hosted on a Windows server. This system holds a metadata table which is used by the front-end file validation application to validate various types of data. Right now it caters to a single application which is hosted on the same database as the metadata table.
The problem is that I want this system to be scalable so that it can validate files for a variety of applications some of which exist on different databases. Since some of the checks in my metadata table are based on Pl/SQL, I cannot run these checks unless the database for both the file validation system and the application database is the same. Is there a way for a table to be shared across multiple databases at once? If not, what could be the possible workarounds for this?
If you want to access several tables on several databases as if it was one table then you have to use a view which uses database links. You should first learn about database links and then creation of the view should not be the problem.
A database link allows you to access another database table just as a table on the same database. All you do is adding the #mydblink to the table name once you created the db link. Example
CREATE DATABASE LINK mydblink
CONNECT TO user IDENTIFIED BY password
USING 'name_of_other_db'
SELECT * FROM sometable#mydblink
It works well and there even is a two phase commit for updates in the remote and local database. There is some more to know about it depending on your set-up but you can read all about it in the oracle documentation. I have worked in a larger project extensively with database links and that is the right approach for what you want to do.
http://docs.oracle.com/cd/E11882_01/server.112/e25494/ds_concepts002.htm#ADMIN12083
http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_5005.htm
Here is a link that I found after some googling telling how to build a view that accesses data at several databases and also gives some information about the expected performance
http://www.dba-oracle.com/t_sql_dblink_performance.htm
Oracle has DBLinks. Check out the docs.
http://docs.oracle.com/cd/B28359_01/server.111/b28310/ds_concepts002.htm
I know that SQLite doesn't support setting up different users. I have a requirement where I need to prevent certain set of users from doing INSERTS/UPDATES into the SQLite DB. As SQLite doesnt have any GRANT/REVOKE commands is there any other way to setup different access levels to the DB file apart changing the file permissions.
Thanks.
Not built into sqlite, no.
You could write your own access control, however. Many web projects are an example of this model. They regularly authenticate against user records contained within the database itself.
I'm building a Windows application that will go against a SQL 2008 database. Some of the table data is very sensitive but some of our users will still need at least read if not read/write access to those tables. We're going to use Windows Security to control their access to the database.
I want to know if those same users can access the data in those tables through something like Excel or MS Access? It's about blocking a bad apple from trying to steal the data inside and walking off with it. If they have read access to the data, though, is there any real way to stop them?
Sorry if this is a SQL Server 101 question, but I'm not finding good answers to the question.
Thanks for the help!
If they have to have read access, then you should pretty much assume they can do what they want with the data. If you render data on the screen, you have to assume someone can write down what they see with a paper and pencil.
With that said, I'd create a service account that has permissions to access SQL Server from your application. Control the access in your app via roles. Do not grant any users access to your database directly - they have to go through your app.
If you try to open Access or Excel and point it to your SQL Server database, they won't have permission to do anything.
A good way to do this might be to author stored procedures that fulfill all of your needs and grant all the users execute only privileges.
If you grant full read access to your users, then yes its going to be difficult to prevent them from what your talking about.
As mentioned by others, you can create a SQL account for your application. This will disallow any outside access from anything other than your application itself. Of course, this would mean that access to your application itself would have to be restricted. This is also easily accomplished by limiting read access to the executable to an active directory group which contains users whom get access. Further to that, you application may also use active directory hooks to determine whether to allow write access for those users who need it.
That all being said though.... your biggest problem will be the physical security. If just one user in the authenticated group is untrustworthy, then a certain acceptable usage policy, HR employee screening, and user environment checks and balances must be in place. A proper workstation deployment policy will also be good here, allowing you to restrict removable drive usage, logging all access, connectivity details etc etc.
It's more about the operational environment at this point if you can't trust the user.
Users could access SQL tables using linked table in Access or external data query in Excel, however the permissions are controlled by the SQL server, which means the users have read-access, they will be able to access data in read-only mode.
Can anyone tell me if there are RDBMSs that allow me to create a separate database for every user so that there is full separation of users' data?
Are there any?
I know I can add UID to every table but this solution has its own problems (for example per user database schema changes are impossible).
Doesnt MySQL, PostgreSQL, Oracle and so on and so on allow you to do that?. There's the grant statements to control ACLs
I would imagine most (all?) databases allow you to create a user which you could then grant database level access to? SQL server certainly does.
Another simple solution if you don't need the databases to be massive or scalable, say for teaching SQL to students or having many testers work against their own database to isolate problems is SQLite, that way the whole database is a single file (per user), and each user cannot possibly screw up or interfere with other users.
They can even mail you the databases, or install them anywhere, say at home and at work with no internet required.
MS SQLServer2005 is one which can be used for multiple users.An instance can be created
if you have any, run the previlegs and use one user per instance
Oracle lets you create a separate schema (set of tables, indexes, functions, etc) for individual users. This is good if they should have separate different tables. Creating a new user could be a very expensive operation as you would be making new tables. Updating is a nightmare as well, as you need to update the model for each user.
If you want everyone to have the same set of tables, but only able to view their own records then you could use Fine Grain Access Control or Virtual Private Database features to do this.