I have a table in an Azure SQL Database with access to the table granted through Azure AD groups.
One of the columns is a ‘category level’.
Each AD group has a category level and each group should only be able to read rows at their category level OR below.
EG AD group ‘group 3’ should only be able to select rows with a category level of 3,2,1. AD group ‘group 6’ will select rows with category level 6,5,4,3,2,1
I am wondering if there is a way to apply row level security that will allow this scenario?
Related
Our Security group is asking for us to have Snowflake audit records ingested into our on prem SIEM by the end of the quarter. I've found the information_schema.login_history records but I'm struggling to find anything else that the SIEM might want (privilege usage, etc). Any tips on relevant views or functions would be appreciated.
some tables can be used to understand query & login attempts by Snowflake users along with various dimensions. For details take a look at:
https://docs.snowflake.net/manuals/sql-reference/functions/login_history.html
https://docs.snowflake.net/manuals/sql-reference/functions/query_history.html
Here are some of the SNOWFLAKE ACCOUNT_USAGE SCHEMA QUERIES that may come handy.
Access_History ,Query_History will help to find out who and How the Snowflake DB is been accessed and Query History will show the queries executed ,Role ,Warehouse,start time ,end time etc.
Also try to login to Snowsight get the full lineage of a specific Role.
--TO FIND THE ACTIVE USERS IN THE ACCOUNT--
SELECT FIRST_NAME,LAST_NAME,DISPLAY_NAME from "SNOWFLAKE"."ACCOUNT_USAGE"."USERS"
WHERE DELETED_ON IS NULL GROUP BY FIRST_NAME,LAST_NAME,DISPLAY_NAME
ORDER BY FIRST_NAME DESC;
--TO FIND THE ACTIVE USERS AND ROLES IN THE ACCOUNT--
SELECT ROLE,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_USERS"
WHERE DELETED_ON IS NULL
GROUP BY ROLE,GRANTEE_NAME,GRANTED_BY
ORDER BY GRANTEE_NAME DESC;
--TO FIND THE ACTIVE GRANTS ON ROLES TO OBJECTS--
SELECT PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY FROM "SNOWFLAKE"."ACCOUNT_USAGE"."GRANTS_TO_ROLES"
WHERE DELETED_ON IS NULL
GROUP BY PRIVILEGE,TABLE_CATALOG,GRANTEE_NAME,GRANTED_BY
ORDER BY TABLE_CATALOG;
SQL Query to get total number of tables available in Snowflake account(including all DB and schemas)
You can query account_usage.tables or information_schema.tables views to find the total number of tables:
select count(*) from information_schema.tables;
https://docs.snowflake.com/en/sql-reference/info-schema/tables.html
select count(*) from snowflake.account_usage.tables;
https://docs.snowflake.com/en/sql-reference/account-usage/tables.html
There are three ways:
You can query the view INFORMATION_SCHEMA.TABLES to find all tables of your current database. So: You have to write a SELECT COUNT(*) FROM [database].INFORMATION_SCHEMA.TABLES for each of your databases, do a UNION ALL afterwards and SUM() your results per database to get the whole number of tables in all databases.
You can query the view ACCOUNT_USAGE.TABLES to find all tables and views of your account. One row represents one table. As ACCOUNT_USAGE.TABLES also contains views, you have to add a WHERE-Klause for the attribute TABLE_TYPE. Here you also have to keep in mind that you may have a latency of 90 minutes.
Run SHOW TABLES IN ACCOUNT; to see all tables
More infos about INFORMATION_SCHEMA.TABLES: https://docs.snowflake.com/en/sql-reference/info-schema/tables.html
More infos about ACCOUNT_USAGE.TABLES: https://docs.snowflake.com/en/sql-reference/account-usage/tables.html
More infos about SHOW TABLES: https://docs.snowflake.com/en/sql-reference/sql/show-tables.html
Note: For all three ways you can only see objects for which your current role has access privileges.
SQL Server 2008, 2012, 2014 Column level security - is it possible to DENY SELECTs on a column, but, have it available for use in the WHERE clause on that table?
I don't want to allow a specific role to read all email addresses, in the "EmailAddress" column, but, I do want that role to check if a particular email address exists.
ie. I don't want:
SELECT EmailAddress FROM MyTable
But, I do want:
SELECT MyTableID FROM MyTable WHERE EmailAddress = 'someone#test.com'
You cannot do that. It has to be open to selects in order for the column to be used in a where clause.
This is not exactly what your after, but maybe it can be of use to you.
Column Level Permissions
My suggestion is to create one View. In that view only give selected columns.
Create View Vw_MyTable
As
Select MyId From MyTable
Good day. Trying to create a view in MS SQL that retrieves user data MS Dynamics CRM. I just need to extract the name of the employee and to correlate it with the identifier of one particular group. But the problem is that I can not find a relation with the security roles. Please give an example.
The table you are looking for is SystemUserRoles
select systemuser.firstname, systemuser.lastname, role.name, role.*
from systemuser
join SystemUserRoles on systemuser.systemuserid = systemuserroles.SystemUserId
join [role] on systemuserroles.roleid = [role].roleid
I would like implement a database containing hierarchical acl data
My tables
USERS: idUser,username,...
GROUPS: idGroups,name...
GROUPSENTITIES: idGroup, idChild, childType (1 for users, 2 from groups)
ROLES : idRole,name...
ROLESENTITIES: idRole, IsDeny, idChild, childType (1 for users, 2 from groups)
Every user can belong to 0 or more groups
Every group can belong to 0 or more groups
Every user and every group can belong to 0 or more roles and roles can be allowed or denied
If an explicit deny is found, role is denied
How can I store this kind of data? Is my design correct?
Is it possible retrieve a list of users with all allowed roles?
Can you please write me a query (T-SQL based) for extract this information from db
thanks in advance
You can write the tables as you would expect. For instance, to get all the users in a group, when there are hierarchical groups, you would use a recursive CTE. Assume the group table is set up as:
create table groups (
groupid int,
member_userId int,
member_groupid int,
check (member_userId is NULL or member_groupid is null)
);
with usergroups as (
select groupid, member_userid, 1 as level
from groups
union all
select g.groupid, users.member_userid, 1+level
from users u join
groups g
on u.member_groupid = g.groupid
)
select *
from usergroups;