I have created a role with the following grants
GRANT
USAGE,
CREATE FUNCTION,
CREATE PROCEDURE,
CREATE TABLE,
CREATE VIEW,
CREATE EXTERNAL TABLE,
CREATE MATERIALIZED VIEW,
CREATE TEMPORARY TABLE,
ON SCHEMA dbname.schemaname TO ROLE role_test;
Now using this role, i am able to create table or replace a table and also drop a table.
How to stop someone to DROP table.
The owner role of the table will have DROP permissions. So it's not possible to stop someone from dropping the table they created.
You may need to change the ownership of the table to another role.
https://community.snowflake.com/s/article/how-to-drop-an-object-as-a-role-other-than-the-object-creator
Related
I have 1 database with multiple schemas, some owned by a different user than the default 'dbo' user.
I have a view in one of these 'dbo' schemas, that selects from 5 tables in other 'dbo' schemas, and then 2 tables in a 'UserA' schema.
I want to grant a user group access to the view in the 'dbo' schema and not the underlying tables. When granting permission to the view, I get errors saying cannot select from the tables owned by 'UserA'. Understandable and expected because the view (and thus authorizations granted) are for 'dbo'. So how do I also grant access to the 'UserA' tables without directly assigning them to my user group.
Any recommendations? I tried to find if there is some way to grant access to the view through both 'dbo' and 'UserA', but it seems only 1 owner can grant select permissions? I also tried making views of the 'UserA' table in the 'dbo' schema and then granting permission to those new 'dbo' views, but that didn't work either.
No permissions on the underlying tables are needed when all objects involved are owned by the same user. This is known as ownership chaining in SQL Server.
It seems you have different schemas which are owned by different users, breaking the chain. Tables are owned by the schema's owner by default (i.e. inherited) but this can be overridden by changing the owner at the table level for specialized requirements. Below is an example script that illustrates this method.
Using granular object ownership rather than inheriting the schema owner is not something that should be done routinely. It is not intuitive for most and adds administrative burden.
USE tempdb;
GO
CREATE USER UserA WITHOUT LOGIN;
GRANT CREATE TABLE TO UserA;
CREATE USER UserB WITHOUT LOGIN;
GRANT CREATE TABLE TO UserB;
CREATE USER UserC WITHOUT LOGIN;
CREATE ROLE YourUserGroup;
ALTER ROLE YourUserGroup ADD MEMBER UserC;
GO
CREATE SCHEMA UserA AUTHORIZATION UserA;
GO
CREATE SCHEMA UserB AUTHORIZATION UserB;
GO
CREATE TABLE dbo.Table1(ID int NOT NULL CONSTRAINT PK_Table1 PRIMARY KEY);
GO
EXECUTE AS USER = 'UserA';
GO
CREATE TABLE UserA.Table1(ID int NOT NULL CONSTRAINT PK_Table1 PRIMARY KEY);
GO
REVERT;
GO
EXECUTE AS USER = 'UserB';
GO
CREATE TABLE UserB.Table1(ID int NOT NULL CONSTRAINT PK_Table1 PRIMARY KEY);
GO
REVERT;
GO
CREATE VIEW dbo.View1
AS
SELECT
t1.ID AS dboTable1ID
, t2.ID AS UserATable1ID
, t3.ID AS UserBTable1ID
FROM dbo.Table1 AS t1
JOIN UserA.Table1 AS t2 ON t2.ID = t1.ID
JOIN UserB.Table1 AS t3 ON t3.ID = t2.ID;
GO
GRANT SELECT ON dbo.View1 TO YourUserGroup;
GO
EXECUTE AS USER = 'UserC';
GO
--this fails due to broken ownership chain
SELECT * FROM dbo.View1;
GO
REVERT;
GO
--change table owner to common owner
ALTER AUTHORIZATION ON OBJECT::UserA.Table1 TO dbo;
ALTER AUTHORIZATION ON OBJECT::UserB.Table1 TO dbo;
GO
EXECUTE AS USER = 'UserC';
GO
--this now succeeds because all objects involved are owned by dbo
SELECT * FROM dbo.View1;
GO
REVERT;
GO
DROP VIEW dbo.View1;
DROP TABLE dbo.Table1;
DROP TABLE UserA.Table1;
DROP TABLE UserB.Table1;
DROP SCHEMA UserA;
DROP SCHEMA UserB;
DROP USER UserA;
DROP USER UserB;
DROP USER UserC;
GO
Hello i have to create a trigger that will help me delete a User.
Example: DELETE FROM Users WHERE Users.Id = 1
I have tables that reference to the Users table, and when i try to delete from the other tables before i delete from the Users table i get this:
The DELETE statement conflicted with the REFERENCE constraint "FK_UsersChats_Users". The conflict occurred in database "cd8eb179-8ec2-41ae-aa28-46e1571ca2bf", table "dbo.UsersChats", column 'UserId'.
My Db diagram
My code so far: http://pastebin.com/45H1WGSr
You can either create a stored procedure or series of queries that deletes from the parent table, then deletes from each child table, or you can set CASCADE DELETE on the relationships so they do it automatically.
I wish to create a table T1. And when I execute the query that table should be include in HumanResources schema which already exists in the database.
How should I change my query to do this? To get table T1 into the HumanResources schema?
Create Table T1
(
Id int,
Name varchar(20)
)
Create Table HumanResources.T1 (...);
In your attempt, you are trying to add it to a database called HumanResources and to the schema dbo. It's database.schema.object.
Edit
In response to the OP's comment, the question has already been answered here: How do I create a SQL table under a different schema?
The schema that will be used when schema is omitted will be the
default schema of the database user. Therefore, for creating table
without specifying schema, you'd have to set that database user's
default schema to dbo.
In your case try running:
CREATE TABLE [schemaname].[tableName](...)
I need know the tablespace of particulary table, the typical query SELECT owner, table_name, tablespace_name FROM dba_tables; can't use, because I haven't permissions. There is other way to consult Tablespace unused dba_tablespaces?
What permissions do you have?
If you have the ability to query the table in question, for example, you can use all_tables which has the same columns that dba_tables does but only has data for tables that you have privileges on.
If you don't have privileges on the table are there other data dictionary tables that you do have access to (dba_segments, for example)?
If you don't have privileges on the table and you don't have privileges on any of the dba data dictionary views, why do you need to know the tablespace?
Use USER_TABLES if the table is in your working schema; and ALL_TABLES if you have permissions on the table but it is not in your working schema.
Otherwise change schema or get permission to access DBA_TABLES.
How can I create multiple views inside the CREATE SCHEMA statement?
I want to create a SCHEMA, and create two views inside it in the same statement, so all those statements work as a one unit? Succeed or fail together!
From MSDN: http://msdn.microsoft.com/en-us/library/ms189462.aspx
"CREATE SCHEMA can create a schema, the tables and views it contains,
and GRANT, REVOKE, or DENY permissions on any securable in a single
statement. CREATE SCHEMA transactions are atomic. If any error occurs
during the execution of a CREATE SCHEMA statement, none of the
specified securables are created and no permissions are granted."
,
How can I do this? I tried this:
CREATE SCHEMA [MYSCHEMA] AUTHORIZATION [dbo]
CREATE VIEW [VIEW1]
AS
SELECT [ID]
,[NAME]
FROM [dbo].[TABLE1]
/* Here is the Problem */
GO
CREATE VIEW [VIEW2]
AS
SELECT [ID]
,[NAME]
FROM [dbo].[TABLE2]
GO
If I include a GO statement just after first view creation, then script runs but second view VIEW2 is created under the dbo schema, not under MYSCHEMA, and doesn't run as a single unit either.
If I remove the GO after the first view, then it gives an error saying
CREATE VIEW must be the first statement of a batch
for the second CREATE VIEW statement.
How do I solve this and create both views as a part of CREATE SCHEMA statement?
CREATE SCHEMA [MYSCHEMA] AUTHORIZATION [dbo]
CREATE VIEW [VIEW1] AS SELECT [ID], [NAME] FROM [dbo].[TABLE1]
CREATE VIEW [VIEW2] AS SELECT [ID], [NAME] FROM [dbo].[TABLE2]
GO