Grant Oracle user Read Only to Specific View - database

I am trying to create a new database user account in Oracle Database 12c Standard Edition that ONLY has access to run a specific view (let's call it "MyApp.MyView").
I created a view as an administrative user under my main application's schema. I created the user (details below) but it seems to have the ability to query any table or view in the app's schema. I ONLY want them to be able to query the specific view I made. Can this be done?
Then, using SQLDeveloper, I right clicked on MyView and granted privileges to MyUser. I can query it as MyUser, but I can also query anything and I don't want that.
-- USER SQL
ALTER USER "MyUser"
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP"
ACCOUNT UNLOCK ;
-- QUOTAS
-- ROLES
ALTER USER "MyUser" DEFAULT ROLE "CONNECT";
-- SYSTEM PRIVILEGES

Below creates a user with the minimum set of privileges needed to query a view/table in another schema. If the user is able to query other tables/views, then they must have been granted elsewhere either through additional grants or roles.
create user MyUser identified by testpassword account unlock;
grant create session to MyUser;
grant read on MyApp.MyView to MyUser;

Related

Hide tables from users upon creation in snowflake

Can we hide tables from users upon creation in Snowflake?
Can we setup an access control rule using wildcards on table names? Ex: revoke access to users if table name like '%ETL_TRANSIT%'?
OR
When creating a table/view, do we have an option to choose "not visible to users"?
You will first have to be using a different role to create the tables than the role that will be viewing the tables. I would recommend reviewing the Role-based Access Controls in the documentation: Role Hierarchy and Privilege Inheritance
I'm going to use SYSADMIN as the role that creates objects, and a create a new role for viewing called VIEWER just as an example. If you have SYSADMIN access you can test this out yourself:
USE ROLE sysadmin;
CREATE OR REPLACE DATABASE demo_db; -- creating a new db just for demo purposes
CREATE OR REPLACE SCHEMA demo_schema;
USE ROLE securityadmin; -- Use the securityadmin or useradmin to create and manage roles
CREATE ROLE viewer;
GRANT ROLE viewer TO ROLE sysadmin;
-- Now go check out the Roles page in Snowsight under Admin --> Users & Roles
-- You should see viewer underneath sysadmin
USE ROLE viewer; -- You will see nothing because you don't have access to anything
USE ROLE securityadmin;
GRANT USAGE ON WAREHOUSE compute_wh TO ROLE viewer; -- viewer needs a WH to access data
GRANT USAGE ON DATABASE demo_db TO ROLE viewer;
GRANT USAGE ON SCHEMA demo_db.demo_schema TO ROLE viewer;
USE ROLE viewer; -- You will see the db and the schema now
-- Follow this for each new table you create:
USE ROLE sysadmin;
CREATE OR REPLACE TABLE demo_db.demo_schema.demo_tbl (col INT);
USE ROLE viewer; -- You will not see the new table
USE ROLE securityadmin;
GRANT SELECT ON demo_db.demo_schema.demo_tbl TO ROLE viewer;
USE ROLE viewer; -- You will now see the new table and be able to query it
Do NOT grant SELECT on FUTURE TABLES or FUTURE VIEWS in a schema though. IF you do that, the Viewer role will automatically see new tables as you create them. You will want to grant SELECT one at a time based on your requirements.
This is an answer to your second requirement. You could build out a Stored Procedure that could GRANT based on a like, but it would be a highly custom option that would need to run on a schedule or triggered manually.
Unless you have future grants in place or a role is inheriting the role used to create the table, most roles do not automatically gain access to tables created by other roles. You would need to explicitly grant them permissions on the new table (and the table's associated schema/database) in order for the table to be "visible" to the role.

How to grant extract DDL in Sybase to specific user?

I have a Sybase database and I've created a user following this video. Now I want to grant only select and get DDL permissions to the user, I've granted select permissions on all the user tables in the database to the user using grant select on tableName to user_ro query. But I'm not able to identify which permission will allow user to get DDL of all the database objects and can only read the data. What are the least privileges or roles that are needed to be granted to the user?
Queries that I ran against the database using SQL Interactive board:
//create login under master
use master
sp_addlogin user_ro, user1234
//verify user is created successfully
select name from syslogins
//add login user to mydatabase
use mydatabase
sp_adduser user_ro
//grant select on all tables one by one
grant select on tableName to user_ro
I'm quite new to Sybase, so please correct me wherever I'm wrong.
There is no specific DDL permission in ASE.
All programs that make DDL just select from system tables the definition of a certain object. So if you have access to some database and sp_help works then you can also create DDL from an object.

Which permission need to grant to access sys.dba_systems

I am working on the application which works on Oracle. For some kind of logic I need to get the list of tables from the given db user with the specified schema. In my case, I have a user which have granted access of the given schema. So when my code creates connection using the given credential and tries to fetch the tables from the following query, its return table list.
SELECT * FROM dba_objects where owner ='schema' and object_type = 'TABLE'
The above query was working with user having grant all privileges
but when I did try with limited permission, it is throwing error msg.
ORA-00942: table or view does not exist
00942. 00000 - "table or view does not exist"
For the secondary user, from which our code is creating connection has granted permissions by following query
create user johnsmith identified by Passw0rd;;
grant connect to johnsmith ;
grant select any table to johnsmith ;
grant UPDATE any table to johnsmith ;
grant DELETE any table to johnsmith ;
grant INSERT any table to johnsmith ;
Which permission should I grant to user to have access on the following system tables...?
dba_objects
user_constraints
user_cons_columns
USER_TABLES
all_tab_cols
and also allow to access dbms_metadata.get_dependent_ddl() method
With the O7_DICTIONARY_ACCESSIBILITY initialisation parameter set to false, which is the default, then:
System privileges that provide access to objects in other schemas do not give other users access to objects in the SYS schema. For example, the SELECT ANY TABLE privilege allows users to access views and tables in other schemas, but does not enable them to select dictionary objects (base tables of dynamic performance views, regular views, packages, and synonyms). You can, however, grant these users explicit object privileges to access objects in the SYS schema.
So you can either grant select privileges on the specific views you need:
grant select on sys.dba_objects to johnsmith;
and the same for other views; or if you need them to have wider access to the SYS schema objects you can give them that with a role:
grant select_catalog_role to johnsmith;
though the principle of least privilege should always apply, so this may be overkill and potentially expose things you don't want that user to be able to see.
You don't need to grant anything for the user to be able to query user_* views. If you meant the DBA equivalents of those - e.g. dba_tables - then grant them as for dba_objects above; or they woudl be included in select_catalog_role. But again, only grant what is actually needed.
Either way, for dbms_metadata you can just grant privileges on that package too (you can't grant privileges on individual procedures in a package):
grant execute on dbms_metadata to johnsmith;
or - again probably much more than actually needed, and potentially much more dangerous that the select role:
grant execute_catalog_role to johnsmith

How to give to a user access to a view but not to the table the view is using?

I've the following view defined into myCustomDatabase:
CREATE VIEW myCustomDatabase.dbo.myView AS
SELECT job_id FROM msdb.dbo.sysjobhistory
myCustomDatabase's owner is sa.
My current user (called currentUser) has only the db_reader role on the myCustomDatabase.
guest is enable on msdb database.
When I execute the view I get the following error:
The SELECT permission was denied on the object 'sysjobhistory', database 'msdb', schema 'dbo'.
I understand that my current user has no role defined on the system database.
Which role/authorization should I give to my current user to allow him to execute the view (which contains only one column of the system's one), but not give to him full access to the table.
To resume the following view should work when called with currentUser:
CREATE VIEW myCustomDatabase.dbo.myView AS
SELECT job_id FROM msdb.dbo.sysjobhistory
, but not the following query:
SELECT * FROM msdb.dbo.sysjobhistory
Edit : viewable tables in MSDB
Edit2 : My SQLServer version is 2008
You don't need to grant permissions on the tables referenced by the view as long as the ownership chain is unbroken. In the case of dbo-owned objects in different databases, this requires that:
both databases have the DB_CHAINING option turned on (on by default
in msdb)
databases have the same owner ('sa' is the default owner of msdb)
the user has a security context in the other database (guest is
enabled by default in msdb)
Consequently, the following script should do the job.
ALTER DATABASE myCustomDatabase SET DB_CHAINING ON;
ALTER AUTHORIZATION ON DATABASE::myCustomDatabase TO sa;
Note that you should enable DB_CHAINING in sa-owned databases only if you trust privileged users with permissions to create dbo-owned objects. This isn't a consideration if only sysadmin role members can create objects anyway. Also, if the old owner is not a sysadmin role member and you need that login to retain dbo permissions, add the old owner as a regular database user and add to the db_owner role.

Minimum permissions for executing ALTER USER WITH LOGIN

In SQL Server 2008, what are the permissions required to run the following command
ALTER USER [John Doe] WITH LOGIN = [John Doe]
I am trying to create an user with minimal permissions and the above command needs to be executed by the user.
Thanks
From the documentation
To change the name of a user requires the ALTER ANY USER permission.
To change the user name, target login, or SID of a user having CONTROL
permission on the database requires the CONTROL permission on the
database.
To change the default schema or language requires ALTER permission on
the user. Users can change only their own default schema or language.
From that, I get that alter permissions on the user are needed generally (which ALTER ANY USER subsumes).

Resources