Creating a read-only user in pgAdmin 4 is a little tricky.
Here is a guide on how I did it.
First of all a few words about the process.
The whole process is based on editing a schema (very simple and safe) for your DB, so this creates limitations for using the method for all the DBs you have unless you edit schemas for each DB (again, it is easy).
First, we have to open a main dialogue, select the target DB you need the read-only user for -> Schemas -> right mouse click on "public" schema -> Properties.
In the opened window go to "Default privileges" and click the "+" in the right corner.
In the "Grantee" column enter: "pg_read_all_data",
in "Privileges" column click on the field and you will see options. Enable only "Select".
On the rest tabs (Sequences, Functions, Types) you can do the same (Select or Usage).
Hit "Save".
In the left sidebar scroll down and find "Login/Group Roles". Click right button -> Create -> Login/Group Role.
OR if you have an existed user role you want to make read-only, click the right button on it and select "Properties".
In the opened window enter the name of the user, on the "Definition" tab enter a password, on the "Previliges" tab select "Can login" and "Inherit rights from the parent roles?"
In the "Membership" tab hit "+" in the "Member of" table and type "pg_read_all_data" into the "User/Role" column.
In the "Parameters" tab hit "+".
Select "role" in the "Name" column's dropdown,
type "pg_read_all_data" in the "Value" column.
In the "Database" column select the desired DB (where you have edited the schema in the previous steps).
Note, you can add more rows with the same settings for different databases (of course, if those DBs have edited schemas as shown above).
Click "Save".
Now you can log into your PhpPgAdmin (or psql or wherever you need) under this user and do only selects. A real read-only user role.
I hope it will help someone.
I don't have enough reputation to comment on your very helpful post, but wanted to add that the public schema by default gives full access to the PUBLIC role (implicit role that all users belong to).
So you would first need to revoke this access.
This can be done in pgAdmin in the Security tab of the schema properties dialog, or with the SQL command
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
See also:
Issue creating read-only user in PostgreSQL that results in user with greater permission with public schema
PostgreSQL - Who or what is the "PUBLIC" role?
Related
I am switching my Snowflake roles in my account console but, in my worksheet context, the role doesn't automatically reflect. Do I need to change this in both the places all the time?
Let's say you switch your role from A to B in the upper right corner and you want to execute the query with role B. In this case you also have to switch the role in the worksheet to B.
The role on your worksheet-level "overwrites" the role in your upper right corner.
You can change the role on the worksheet-level by using the GUI or executing USE ROLE xy;.
The role mentioned under your username on the top right-hand corner is for the option available to the left of the same console. This is totally independent of the role selected in each worksheet.
for example, For accountadmin role - you would able to see an additional option like Account, which will not be able with PUBLIC role. You can try to switch between the roles.
The role selected in the worksheet defines your access privileges on the database objects. The SQL statements executed are evaluated with the worksheet role.
You can user properties such as Default_role, Default_warehosue & default_namespace(db &schema). Details here
This will help to get your user context set with the defaults on every new worksheet created.
I'm a system administrator in my org
I have 3 record types in Opportunity Object.
Out of those 3, I can create record with one record type. But when creating with the other two, the below error comes up:
You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary.
One more point I want to add here. The record type of which records can be created, those records cannot be edited. Again the same error message comes
Please help in finding the root cause.
Thanks in advance
The new record types need to be made available to your profile.
Open the profile in question and scroll down to the "Record Type Settings" section.
Locate "Opportunity" in this section, and you should see the name of the record type that you can create and edit. What you need to do is add the other 2 record types to this field.
To do this, click the Edit link in that field and a new screen will appear.
Select the record types that you want to make available to the profile, then click the Save button.
I hope this helps.
I need a help. I have three tables (admin, teacher, student) and I want to log in them from one login form. And I need also distinguish them as roles that for example student can't go to some page as teacher.
I created three radio buttons for every table in login form.
Like * admin * teacher * student.
With using this:
<?= $form->field($model, 'role')->inline()->radioList(array(1 => 'admin',2 => 'teacher',3 =>'student'))->label('You are: '); ?>
How can I make to find and log in the user when the user put there username and pass word and click on one from the radio buttons who he is? I generated three models for each table with using gii. So what and where I must write to make it work? Thank you for help!
If you have table/model per each role and you want to login from the same form, then on your login form except of usual username and password fields, you'll also need a role field (some radio button where user will have to specify what role they are). Otherwise, you won't know which table to query for username/password. Of course you can query all of them step by step, but what if there are teacher or student with the same username? Username has to be something unique, if you have one login form and it is not possible to achieve in case you have 3 tables for every type of user.
Another option would be to use one User table/model for all roles by simply adding extra column role. I think there's role column inside user table out of the box if you use Yii2 Advanced Template. Probably this is where you can start from.
As for permission to access specific pages per role. What you need is ACL (Access Control filter in Yii2).
I found few existing articles on how to achieve what you need.
http://yii2-user.dmeroff.ru/docs/custom-access-control - this is
simple example
http://code.tutsplus.com/tutorials/how-to-program-with-yii2-user-access-controls--cms-23173 - this is a bit more advanced
Hope that helps.
My question again to be more specific:
How can I modify data through a view and don't have to grant SELECT-Permissions on the table?
I am designing and developing a new database at the company i am working for.
The business rules say, that users are allowed to access specific rows in tables only.
So I use views to check the permissions of the user and return only those records, the user has access to.
So far so god.
But, I have to check the permissions also on INSERT and UPDATE and DELETE with INSTEAD-of-Triggers. Because the rows a User can SELECT may not be those, he can modify.
My problem is:
When I have an view and grant SELECT, INSERT, UPDATE and DELETE Permissions, it doesn't work. When I insert into this view, SQL Server wants INSERT-Permission at the base table. That wouldn't be a problem. But when I update or delete rows through the view, SQL Server wants SELECT and UPDATE/DELETE permissions granted on the base table.
I don't want to give SELECT-rights on the table.
Thanks
Chris
I'm thinking at:
1/ Restrict VIEW rows by adding in its definition a condition like this:
WHERE UserName = SUSER_SNAME()
or
WHERE UserName = CURRENT_USER()
or
2/ Using INSTEAD OF triggers on the involved view.
P.S. Indeed, CREATE VIEW WITH EXECUTE is not allowed. Thank you for your messages.
If i assign two users to two roles,let's say CSM and sales rep. If I am the sales rep and I go to the campaigns tab and click on the Direct mail view to view records of type Direct mail,I will get a result set. Now if the CSM user tries to access the same view by clicking on the Direct mail view again he should be able to access a different set i.e different set of records of the type direct mail. How do I achieve this. This is of top priority in my task now.Thanks in advance!!
You could create two views with the same name then make them each visible to the appropriate set of users.
You need to create two Views, one that corresponds to each of the groups. For simplicity, you can name the Views the same thing so long as the Unique Name is, obviously, unique. I would recommend something like Direct_Mail_Sales and Direct_Mail_CSM for the unique names.
Set up the criteria for the views however you'd like.
When you get to the bottom of the configuration for each view, make sure to select "Visible to certain groups of users" and select the corresponding Role from the list. This will make sure that the view is only visible to the appropriate role.
Since The views have the same name, it will appear to the end user to be the same view.