I deleted the db_datareader and db_datawriter schemas in a database. Can these be added back?
I tried to add them back but I don't understand how to set up these specific ones.
I don't know why you'd need them, but you can drop and recreate these schemas like this:
drop schema db_datareader
drop schema db_datawriter
go
create schema db_datareader authorization db_datareader
go
create schema db_datawriter authorization db_datawriter
go
Related
In snowflake, I have a table "dbtest"."schematest"."testtable" created by role Accountadmin.
Now i want to alter a column in this table using another role roletest;
I have given all access till table leve to roletest
# using accountadmin roles i have granted all the access
use role accountadmin
use warehouse testwarehouse
# granted database level permission to the role
GRANT USAGE ON DATABASE DBTEST TO ROLE ROLETEST;
# granted schema level permission to the rol
GRANT USAGE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT USAGE, CREATE FUNCTION, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW, CREATE EXTERNAL TABLE, CREATE MATERIALIZED VIEW, CREATE TEMPORARY TABLE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
# also at table leve i have granted the permissions
GRANT INSERT, DELETE, REBUILD, REFERENCES, SELECT, TRUNCATE, UPDATE ON TABLE "DBTEST"."SCHEMATEST"."testtable" TO ROLE "ROLETEST";
Now when i try
use role roletest;
use warehouse roletest_wh;
alter table "DBTEST"."SCHEMATEST"."testtable" alter column c1 drop not null;
i get the error
SQL access control error: Insufficient privileges to operate on table 'testtable'
I also tried
GRANT OWNERSHIP ON "DBTEST"."SCHEMATEST"."testtable" TO ROLE roletest;
it gives error
SQL execution error: Dependent grant of privilege 'SELECT' on securable "DBTEST"."SCHEMATEST"."testtable" to role 'SYSADMIN' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html#examples
In a single step, revoke all privileges on the existing tables in the mydb.public schema and transfer ownership of the tables (along with a copy of their current privileges) to the analyst role:
grant ownership on all tables in schema mydb.public to role analyst copy current grants;
Grant ownership on the mydb.public.mytable table to the analyst role along with a copy of all current outbound privileges on the table:
grant ownership on table mydb.public.mytable to role analyst copy current grants;
Only the owner of an object can alter that object.
When changing ownership you need to use one of the revoke/copy grants options
DDLadmin has privilege's to alter the objects like schema, permissions. But my question is, does db_dlladmin has permission to read (db_datareader) and write (db_datawriter) in database.
Does db_datareader and db_datawriter are subsets of DDLadmin role?
By security reason, the Microsoft SQL Server db_ddladmin only can ALTER, CREATE and DROP. It cannot SELECT, UPDATE, INSERT, DELETE nor MERGE or TRUNCATE.
Demo...
CREATE USER USR_DDL WITHOUT LOGIN;
GO
ALTER ROLE db_ddladmin ADD MEMBER USR_DDL
GO
EXECUTE AS USER = 'USR_DDL'
SELECT *
FROM anytable
Error wil result !
I have almost 20+ Databases each db contains lot of procedure trigger view etc, also have development windows user group, i have to give view and execute privilege to the group members. Also read,write,update,delete privilege to tables. How i can give all together ?
I am using SQL 2012
At a pure guess, and assuming the AD group already has a user on the database. You'll need to replace parts in the braces ({})
USE {Your Database};
GO
--create an executor role
CREATE ROLE db_executor;
GRANT EXECUTE TO db_executor;
GO
--Add AD group to roles.
ALTER ROLE db_datareader ADD MEMBER [{Your Domain}\{The AD Group}];
ALTER ROLE db_datawriter ADD MEMBER [{Your Domain}\{The AD Group}];
ALTER ROLE db_executor ADD MEMBER [{Your Domain}\{The AD Group}];
I have permission to create/drop table but don't have permission to grant table to any role.
So when I create table on server I can't select from it.
Is there anyway to create table and specific grant to any role in one statement?
Grant permission to create tables to a specific user in a specific database not only requires CREATE TABLE permissions but also requires ALTER permissions to the schema.
GRANT ALTER ON Schema :: schema-name TO DATABASENAME
GRANT CREATE TABLE TO DATABASENAME
How to grant select/update/insert/execute permission to all tables/procedures in database? Create role?
Because I want to have guests(all select permissions to some tables), users(only select,update,insert permissions to tables) and administrators(all permissions to all objects in database)
Approach 1) Useful when there are large no. of users.
GRANT SELECT, INSERT, DELETE, UPDATE on SCHEMA::SchemaName to Principal --often DBO for Schema
For the Principal, it is FAR preferrable to use a role and not a single user, Unless you just have a few users, it usually simplifies your management.
Now, if a utility schema is added, the user has no access to the data, but, if a table is added to the SchemaName schema, they automatically have access.
Approach 2) useful in case of few users.
adding the user to db_datareader and db_datawriter roles if you need access to all tables in the database. Its short & simple.
USE [DBName]
GO
EXEC sp_addrolemember N'db_datawriter', N'UserName'
GO
EXEC sp_addrolemember N'db_datareader', N'UserName'
Reference : http://social.msdn.microsoft.com/Forums/en/transactsql/thread/1489337c-56c9-4bb8-9875-3a75be7596be
I would create roles. Or specifically one role because there's already roles for what you describe as "guests" (i.e. the public role) and administrators (i.e. db_owner role). But let's make it real.
create role [Users];
grant select on tbl_1, tbl2, tbl3 to [public];
grant select, insert, update, delete to [Users];
exec sp_addrolemember #membername = 'yourdomain\Users', #rolename='Users'
exec sp_addrolemember #membername = 'yourdomain\Admins', #rolename='db_owner'
--no need to add people to public; everyone's a member by default