When I am creating a user in RedShift from a superuser account, the user created has full access(select, insert, update, delete, drop, references) to all DBs in the cluster and all schemas on the DBs.
When I am using REVOKE to limit access, the access for the user does not change.
How can I create a user in RedShift with limited access to databases and schemas? Commands from the documentation execute but do not change access level.
Related
I am creating a user that should only have access to the database tables metadata,via INFORMATION_SCHEMA, and not the table data. So no perms to query the tables directly. The role the user will be a member of will have USAGE privileges on INFORMATION_SCHEMA schema. I tested the user with that role and it is only able to see tables within public and no where else.
I did see in Snowflake documentation:
"The output of a view or table function depend on the privileges granted to the user’s current role. When querying an INFORMATION_SCHEMA view or table function, only objects for which the current role has been granted access privileges are returned."
So, I tried to grant to the role MONITOR and USAGE on other schemas; but, that did not work either. Only when I granted a role with read access to all the tables in the schema was it able to see and query from INFORMATION_SCHEMA.TABLES the tables in that schema. This, however, is not what I want as now that user would be able to query data from the tables. I just want to set that user to be able to query and gather the metadata of tables and not allow data access. Is there a way in Snowflake to setup and perform this type of setup?
I believe the only way to do this would be to provide access to the SNOWFLAKE.ACCOUNT_USAGE share on Snowflake, which also has TABLES and would allow this user to query the metadata of all tables and columns in that Snowflake account. There is a lot more information available in that share, but at least the user would not have access to any real data, if that is what you are after.
I need to restore the database from a different environment where different logins are used but I want to keep permission to this database for already existing login on this server.
Now, after restoring my login on the targeted server it lost mapping for this database (and owner role)
I want to restore everything inside the database and same time I don't want to map the database and add owner role to the login.
Is it even possible?
I've tried different ways of restore - deleting before restore, as well as delete but not to close existing connections. The result is the same, I need to map new restored DB again and add the owner role.
Normally database users have to be mapped to instance logins to work, but if you want to make your DB more instance independent and control your database from the inside of it then the solution for you would be a Contained Databases.
From MS BOL:
A contained database is a database that is isolated from other
databases and from the instance of SQL Server that hosts the database.
SQL Server 2017 helps user to isolate their database from the instance
in 4 ways.
Much of the metadata that describes a database is maintained in the database. (In addition to, or instead of, maintaining metadata in the
master database.)
All metadata are defined using the same collation.
User authentication can be performed by the database, reducing the databases dependency on the logins of the instance of SQL Server.
The SQL Server environment (DMV's, XEvents, etc.) reports and can act upon containment information.
I am new to SQL Server database and I am struggling to figure out the access issue for one of the user on a particular view. I don't want to expose any of my base tables.
The scenario is: I have 3 databases, DB one, two and three
Database one has 2 base tables
Database two has one view on top of those tables (tables in database one)
Database three has one view which is on top of the view of database two
Database three is our data warehouse. So, I would like to know if I give select permission on only database three's view, will that suffice?
The catch is I don't want to expose any of my base tables in database one
If I grant select permission to user1 on datawarehouse view (view in database three) and deny all the permissions to the base tables (in database 1), then is it possible?
Thanks
Ownership chaining allows access to data via the view without permissions on the underlying tables as long as all objects are owned by the same security principal. There is no need for an explicit GRANT or DENY on the indirectly used objects with an unbroken ownership chain since permissions are checked only on the directly access view. The object owner is typically inherited from the schema owner.
To allow ownership chaining to extend across multiple database:
The DB_CHAINING database option must be ON for the databases involved.
The user must be able to use the databases (have a user account in each database with CONNECT permissions), although only permissions on directly accessed objects are needed.
In the case of dbo-owned objects, the databases must be owned by the same login (AUTHORIZATION) since the dbo schema owner is the database owner. For other schemas, the schema owner must map to the same login.
DB_CHAINING should be enabled only when you fully trust highly-privileged users (those with permissions to create database objects).
I am transitioning a project from Advantage Database Server to MS SQL server. In Advantage, you can password protect an individual table, which is also encrypted. As such, you cannot open, view, update, etc. the table without the password. I place my project's registration information in this table, so I don't want any user to be able to look at its contents.
I cannot find a similar function in SQL server. Encrypting the data is insufficient. So my question is: is there a way to password protect a table in SQL Server.
In SQL server you can link various access roles to the users. These roles can be applied to tables, views, stored procedures etc. The best thing to do is to create views on the database, and let the users access specific views, rather than giving permissions on all DB objects.
Alternatively, you can deny permissions on a specific table to a user or a role.
Here are two articles on MSDN that will get you started:
GRANT Object Permissions
DENY Object Permissions
I am aware of Oracle. In oracle schema or user is more or less same. When we create a user, schema is created.
Database is something we create when we install oracle.
I am new to Teradata. Are things same in case of Teradata too?
How user, database and schema are related in Teradata?
The full Teradata system is quite similar to a database in Oracle.
A database in Teradata is the same as a schema in Oracle.
A user is almost the same as a database in Teradata ( you can create objects in both), the main difference is the ability to logon to the system.
And there's a hierarchy of users & databases in Teradata, root is user dbc. Users might own databases and databases might own users. A user has the implicit right to manage his children (i.e. GRANT & REVOKE access rights on owned databases & users).
End users are usually a leaf in the hierarchy, no children & no perm space to store tables.
For more details see: About Databases and Users in Teradata