ALTER TABLE tblExample
ALTER COLUMN xxx ADD MASKED WITH(FUNCTION='default()')
This makes masked for every user except admin.
GRANT/DENY UNMASK TO USERONE
I want to mask for only 1 user. I don't want to mask all users -> drop masks for all users except that specific one
Is there any way to make this happen?
Security wise this is not a good practice at all...however, if you want all current&future db users to be able to unmask and a single user not to, then you could grant unmask to public and deny it to the "pooruser" (deny supersedes grant)
grant unmask to public;
deny unmask to pooruser;
Related
We have a requirement where we have users who have to be allowed to set their RSA Key, so that it will remove the unwanted burden & lead time on the ADMIN.
How do we create a Role (Access level to be provided) which can allow the user to set their own RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2
I need to check the roles and grants given to users, but from the metadata tables.
Basically, I need the metadata table, where I can query this, using multiple roles, eg. XXX, YYY,ZZZ. I need this to get the hierarchy of the roles that might have been granted.
I can do show grants OF role XXX - This'll give me all the users/ roles to which this role is granted, but I have to do for one role at a time.
If I do
SELECT *
FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
WHERE ROLE='XXX'
AND DELETED_ON IS null;
It gives me only the users who have been granted this role, not the roles itself.
If I check on GRANTS_TO_ROLES table - it gives me the actual privileges given for that role, but not the other roles to which the particular role is granted to.
What you can do is use the SHOW syntax rather than select:
show roles in account;
will give you the full list of roles (still coming from metadata). Not sure what exactly you want to do with them further, but in case you'd actually want to proceed the results as a query you can follow it by
select * from table(result_scan(last_query_id()));
and use to join with other tables or just to copy into some sort of temporary table and join further from there
You mentioned the hierarchy - I suspect you want to see which roles are granted to other roles..
Try this:
show grants of role Your_Role
In the table returned you will see that some roles are assigned to other roles and to users..i.e. column granted_to
is it possible to grant premission's for a role to only select,insert in a database schema or do i have to do it for every table individualy
CREATE ROLE role1
GO
GRANT INSERT,SELECT ON [database1].[schema1] TO role1
GO
P.s can i create a role without assigning nobody to that role , because as i read in
https://msdn.microsoft.com/en-us/library/ms187940.aspx
it say's that when u create a role and don't assign nobody the user with which u have created the role will be assigned to it.
The short answer is yes. Create a role with the required DML permissions to a schema, like you've scripted above. Then you will need to assign users to the new role if you want to give them this access. Like this:
ALTER ROLE [role1] ADD MEMBER [user1]
GO
I think you might be getting this confused with ownership chaining. I don't think you want to do this.
My question again to be more specific:
How can I modify data through a view and don't have to grant SELECT-Permissions on the table?
I am designing and developing a new database at the company i am working for.
The business rules say, that users are allowed to access specific rows in tables only.
So I use views to check the permissions of the user and return only those records, the user has access to.
So far so god.
But, I have to check the permissions also on INSERT and UPDATE and DELETE with INSTEAD-of-Triggers. Because the rows a User can SELECT may not be those, he can modify.
My problem is:
When I have an view and grant SELECT, INSERT, UPDATE and DELETE Permissions, it doesn't work. When I insert into this view, SQL Server wants INSERT-Permission at the base table. That wouldn't be a problem. But when I update or delete rows through the view, SQL Server wants SELECT and UPDATE/DELETE permissions granted on the base table.
I don't want to give SELECT-rights on the table.
Thanks
Chris
I'm thinking at:
1/ Restrict VIEW rows by adding in its definition a condition like this:
WHERE UserName = SUSER_SNAME()
or
WHERE UserName = CURRENT_USER()
or
2/ Using INSTEAD OF triggers on the involved view.
P.S. Indeed, CREATE VIEW WITH EXECUTE is not allowed. Thank you for your messages.
I have Owner, admin and user roles.
There's only one owner and that's me.
How can I deny admins from editing or deleting me?
Owner has id 1 so if I'm going to check in isAuthorized() if the admin is not the owner I do this: $user['id'] != 1.
Now how I'm going to check if the user being edited or deleted is the owner. I know how to get the user id with this: $this->request->params['pass'][0] but not the user role.
I don't think I'd have "owner" as a Role. It's much easier to allow someone to be a normal Role-type, then keep an owner_id field in the items table.
That way, you can leave Roles deal with the higher-level authorization, and in the individual items action/method, you can check for ownership (often done with a custom isOwner() function to keep your code DRY).
In your PostsController->edit($id) function as an example, you can do a find() on the Post, then compare it's owner_id against $this->Auth->user('id') to make sure they can only edit if they're the owner.
If you want to retrieve Role and keep it available, you can do so in the AppController's beforeFilter with a normal find on the roles table based on the role_id field of the Auth->user.