I tried REVOKE ALL ON DATABASE ABC FROM ROLE XYZ under ACCOUNTADMIN and got a success message.
When I switch to role XYZ I still see the ABC database but it appears empty. The database is also still in the list when running show databases under this role.
How do I make it so that this role cannot see the database at all?
By the way, this issue prevents our Mode connection to Snowflake from listing the available tables in the UI.
Create two databases : db1 and db2, for example, using the ACCOUNTADMIN role:
create database db1;
create database db2;
Then create two roles,one for database db1 and another for database db2
create role db1;
create role db2;
Now, grant usage on database db1 to role db1, similarly with role db2.
grant usage on database db1 to role db1;
grant usage on database db2 to role db2;
When you switch to role db2, you wont see db1 database and vice versa.
Also, when you run :
show databases;
say, while you set your role to db1,
you will not see database db2 in the result.
Hope this helps.
In my case, I also had usage monitoring and thus had to do revoke MONITOR USAGE on account from role XYZ. I suspect this is a very corner case not affecting many people. :(
Related
I have a custom role (readwrite) which is granted to the built-in SYSADMIN role.
I have a database CDP_MODELS which has a schema MODELS in it (the owner for which is SYSADMIN).
I have a user WCOX who is a part of the readwrite role.
I need to provide the user WCOX write access to the CDP_MODELS.MODELS DB so that the user can create new tables.
What I have tried so far -
I see that the readwrite role has usage permission on the database as well as the schema.
But when I login as the readwrite role and try to create a table on the MODELS schema in the CDP_MODELS DB, it gives the following error -
SQL access control error: Insufficient privileges to operate on schema
'MODELS'
I have also explicitly tried to run the below queries and then try creating the table, but to no luck.
grant usage on database CDP_MODELS to role READWRITE;
grant usage on schema CDP_MODELS.MODELS to role READWRITE;
grant select,insert on future tables in schema CDP_MODELS.MODELS to role READWRITE;
Is there something which I am missing?
You are missing Create Table privilege on the Schema.
grant create table on schema CDP_MODELS.MODELS to role READWRITE;
I have granted USAGE on the schemas and database.
I have granted select on all tables.
Using that role, I can read data from all tables within any schema.
I then grant the permission to create tables in all schemas within that database
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
Yet, when I issue this command (while using DEVELOPERS role), I get an error
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
What am I missing?
Works fine for me (script below). Going to go with what Lukasz commented and that your schema was created later.
use role accountadmin;
create database TEST1_CONTROL;
create schema PDS;
create role DEVELOPERS;
grant role DEVELOPERS to user <your_username>;
GRANT USAGE ON DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT USAGE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
use role DEVELOPERS;
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
Snowflake does offer future grants if you want a role to have access to any new schemas that would be created in the future.
First, here is an overview of how my Postgres is set up
I have 3 Databases and within each database there is a schema which shares the same name across all 3 databases.
I have written a script to create a role and give it some privileges for the schemas in each database.
This is how I grant the privileges to the role:
\c Database1
GRANT SELECT, UPDATE, INSERT ON ALL TABLES IN SCHEMA "schemaName" TO roleName;
\c Database2
GRANT SELECT, UPDATE, INSERT ON ALL TABLES IN SCHEMA "schemaName" TO roleName;
\c Database3
GRANT SELECT, UPDATE, INSERT ON ALL TABLES IN SCHEMA "schemaName" TO roleName;
Is there a way to explicitly state which database I want to affect within the GRANT statement?
No it is not possible : each database in a instance/cluster is isolated and there is no possibility to reference a database different from the current one (unless you use some extension like dblink or postgres_fdw).
I try to give a user on SQL Server 2016 Express the permission to create tables in his schema, but he can do what he wants. And I don't know why he is unable to do this.
This is the server role:
And this is the Schema role:
This is the database role:
(I only checked "CREATE TABLE")
And this is the user:
So why can the user do INSERT, DELET, UPDATE - Statments and so on? From where did he get the permission?
I hope someone can help me?
If you already have a schema, you can grant CONTROL permissions to the user:
grant control on schema :: testschema to TestUser
You can change ownership of the schema with
alter authorization on schema::testsch to TestUser
Be aware that you can't limit CREATE TABLE permissions to just a schema, so it has to be granted at the database level, but if you don't give the user permissions in the other schemas, they can't create tables in them.
This thread, particularly Rick Byham's answer, is the source of most of this.
In my case the anwser is that a owner of Schema have all permissions to this Schema so he can do INSERT, DELETE, UPDATE Statments and so on.
What is the minimal permission needed on a sql server user/login for it to be able to run entity framework code first database migrations?
I naively would have thought that a user with the roles db_datareader, db_datawriter, Grant Alter on the Schema and Grant Create Table would be permissive enough.
On-Prem: SQL server with AD/sql login
you need the following permissions on the database.
[db_datareader]
[db_datawriter]
[db_ddladmin]
For full control over database use
[db_owner]
Azure Could: Azure SQL with ADD (Edit)
Please add [dbmanager] to master and user database.
Clearly it depends on what your migrations are/(will be) doing. For my use case, I ended up creating a shema, and restricting the user that the migration uses to the permissions below.
GRANT ALTER, INSERT, SELECT, DELETE, UPDATE, REFERENCES ON SCHEMA::schema_name TO migration_user
GRANT CREATE TABLE TO migration_user