I need to create an user in Oracle (19c) that can only read and write to his own schema - the user cannot see any other schemas (except the default, system schemas).
Also, other users cannot be able to write (create) anything to that user's schema.
How can I achieve that?
That's the default state for a newly-created user - you'd have to grant privileges to allow the new user to see anything else, or for any other use to see the new user's objects (never mind create new ones).
So you don't need to do anything special - you just need to grant your new user the system privileges they need to connect to the database and create their own objects.
The exception is existing users with 'any' privileges, which usually only applies to DBAs. Or if grants to any other schema's objects have been made to the PUBLIC role, which is usually not done.
Read more about privileges.
Related
I really need some advice about adding roles at the server level and apply some permissions that will be applicable to each database on my server.
Basically I need to two roles read only and read write.
The read will have permissions to select and see any object
The write will have permissions to select/insert/delete and execute any object
I want to create a server role, then a login associated to this role (which can be a AD group) and after that for each database create a user that will inherits all permissions from the server role.
So on each database, I will have each user that belongs to the server role created, the problem is to clearly define the permissions, is not straight forward in my opinion.
What I can see, I cannot assign read or write to a role and then use it on each db, on the contrary on the General tab of the server role I have a bunch of permissions that is not clear which one to use for this purpose.
Maybe I'm doing it wrong but I want to have something at the server level and not define the same role on each db for that purpose. I'm using SQL server 2014.
The short answer is you can't.
Generally, server-level permissions are not propagated down to individual objects within databases. The only exception is a sysadmin role, which I would strongly encourage you not to use for this purpose, as you would essentially give up the control of the entire server instance to every member of it.
As a kind of a shorthand, you can use built-in database roles to save yourself a bit of trouble. For read-only access, a membership in db_datareader role is usually enough, unless you have stored procedures that return datasets which this role is supposed to be able to execute. There is also a similar role for modification, db_datawriter, but it doesn't cover the execute permission. So you will have to create a custom role for that:
create role [DataChanger] authorization [dbo];
go
alter role [db_datareader] add member [DataChanger];
go
alter role [db_datawriter] add member [DataChanger];
go
grant execute to [DataChanger];
go
-- Now you can add your members. Here is a reader
create user [Domain\MyUser1] from login [Domain\MyUser1];
go
alter role [db_datareader] add member [Domain\MyUser1];
go
-- Writer
create user [Domain\MyUser2] from login [Domain\MyUser2];
go
alter role [DataChanger] add member [Domain\MyUser2];
go
These permissions will automatically pick up newly created objects, without you having to explicitly add new permissions after every schema modification.
You will have to do this in the context of every user database that you want to manage in this way. You can probably create a SQL Agent job which will run periodically and introduce these changes in any user databases which don't have them already (for example, if a database has been restored from earlier backup, or brought from another server, or a new one was created). Also, since you can't loop through databases in static code, you will need to wrap it into a dynamic SQL and loop through sys.databases, or maybe via an undocumented sp_MSforeachdb system stored procedure. Oh, and don't forget to remove all these go statements from dynamic code, as they are not part of SQL, and are only recognised by SSMS and sqlcmd.
P.S. All that being said, I hope you are not going to manage any production databases in this manner. I don't even know where to start on how insecure this approach is.
Essentially -- In postgres , how to give a db user ability to create object in a schema but not able to grant permissions on that object to others users.
Sounds like a "default permission" (IE, permissions on NEW objects). The "Grant option" needs to be revoked.
Keep in mind that this only affects NEW tables/objects. You'll have to go back and manually alter the permissions on older objects manually or create a script to do it.
alter default permissions
for USER_HERE
revoke grant option for all
The docs say
The special privileges of the object owner (i.e., the right to do DROP, GRANT, REVOKE, etc.) are always implicit in being the owner, and cannot be granted or revoked.
Since these special privileges cannot be revoked, I think the only way to prevent the object owner from granting or revoking privileges is to take ownership away (make some other user the owner) after the object is created.
But this seems a strange thing to do, and I think you'll probably get better answers by asking about the real problem rather than asking about one solution. That is, "How do I prevent an object's owner from granting privileges?" is not the real problem--it's one "solution" to an unstated problem. Think about what the real problem is.
I have created a User Role with superuser privilege. I have around 30 Databases on my server. I want to assign this role to only only DB. The current role lets the user access all the DBs as super user. How can I restrict him from accessing other DBs as super user.
This is the that I have for assigning superuser:
CREATE ROLE fc LOGIN
SUPERUSER INHERIT NOCREATEDB NOCREATEROLE NOREPLICATION;
Can someone help me with this?
As #Craig explained, you can't (and even if you could, it would be fairly pointless).
The usual way of implementing restricted superuser permissions is to connect as an existing superuser role, and create SECURITY DEFINER functions containing a limited set of approved commands. These functions will now be executed with the privileges of the creator rather than the caller.
But you need to be very careful not to open any injection vulnerabilities, because everything within the function will be run as superuser. E.g. the caller could write a custom = operator which grants them superuser rights, and put it in their search path, so you need to be absolutely sure that you're using the = in the pg_catalog schema.
At the very least, you should:
Create all of these functions with the clause SECURITY DEFINER SET search_path TO pg_catalog, pg_temp. The pg_temp schema must always be included at the end of the list (if omitted, it will be implicitly included at the start).
Schema-qualify any other tables, functions, etc. that your function references (e.g. public.MyTable instead of just MyTable), and make sure that all of these are superuser-owned (so that callers can't put malicious code in triggers, etc.).
Never put user input in a dynamic query string (EXECUTE 'SELECT ...') without exhaustive validation.
There is no facility in PostgreSQL for a database-specific superuser.
It would not make sense anyway, since generally operations that are superuser-only are things that permit relatively easy escalation to greater control over the database system.
Does newly created user:
create user John
identified by secret;
have some privileges? Or is there any oracle config for privileges of newly created user? I need information about this topic.
Nope, no privileges.
select * from dba_sys_privs where grantee='JOHN';
select * from dba_tab_privs where grantee='JOHN';
select * from dba_role_privs where grantee='JOHN';
ammoQ is technically correct.
Given the user created as above does not have CREATE SESSION privilege, it cannot actually log on yet, or do anything else.
It is possible for another user with an appropriate CREATE ANY ... privilege to create objects (such as procedures, functions, triggers) under JOHN's schema/user. If so, then JOHN would automatically have privileges to drop those objects (but without a CREATE SESSION privilege, it would be difficult for them to achieve that).
From a security point of view, Oracle does have a bunch of privileges granted to PUBLIC. Once a user is created they do have a bunch of things they can do (eg select from views such as ALL_USERS).
Here is the scenario. I have a SQL Server 2005 production database/server. It currently has developers and supporters who can connect to it. I need to create a security module that gives developers read-only access to all areas of the database. This means that a developer should be able to view all objects as well as scheduled activities/jobs only.
Is it possible to enable security in this way and if so can I be gently guided on how to achieve this. I am learning to be a DBA and creating snapshots of the databases are not an option.
Thank you all in advance.
There is permission to every object.
Create a stored procedure that grant each gruop the exact permission you need on the objects you need to protect.
I'm not quite sure I follow where this "security module" will be in the architecture. Anyhow, here's one possibility that secures it from the database end.
I'm going to assume you already have users created.
Create a new role (yourdb > security > roles > new database role), say "ReadOnlyDevelopers". Make the owner dbo or whatever makes sense. Do not select any schemas to be owned by the role. Populate the "Role Members" with your developers.
Next, open the properties page on your database. Go to the permissions page. Click Add... and add the new role. Under the permissions grid at the bottom, Grant SELECT to the role.
Now assuming your developers already belong to some other role, you'll need to go into the user properties and under Database Role Membership restrict them to just the new role. At this point they should be able to just read
I'm guessing that I'm missing a detail or two (the role may need to be grated a few additional rights to "see" the database, alter passwords, etc.) but I can't get to that level of detail without setting up the entire scenario. Hopefully this pushes you in the right direction.