I have permission to create/drop table but don't have permission to grant table to any role.
So when I create table on server I can't select from it.
Is there anyway to create table and specific grant to any role in one statement?
Grant permission to create tables to a specific user in a specific database not only requires CREATE TABLE permissions but also requires ALTER permissions to the schema.
GRANT ALTER ON Schema :: schema-name TO DATABASENAME
GRANT CREATE TABLE TO DATABASENAME
Related
In snowflake, I have a table "dbtest"."schematest"."testtable" created by role Accountadmin.
Now i want to alter a column in this table using another role roletest;
I have given all access till table leve to roletest
# using accountadmin roles i have granted all the access
use role accountadmin
use warehouse testwarehouse
# granted database level permission to the role
GRANT USAGE ON DATABASE DBTEST TO ROLE ROLETEST;
# granted schema level permission to the rol
GRANT USAGE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT USAGE, CREATE FUNCTION, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW, CREATE EXTERNAL TABLE, CREATE MATERIALIZED VIEW, CREATE TEMPORARY TABLE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
# also at table leve i have granted the permissions
GRANT INSERT, DELETE, REBUILD, REFERENCES, SELECT, TRUNCATE, UPDATE ON TABLE "DBTEST"."SCHEMATEST"."testtable" TO ROLE "ROLETEST";
Now when i try
use role roletest;
use warehouse roletest_wh;
alter table "DBTEST"."SCHEMATEST"."testtable" alter column c1 drop not null;
i get the error
SQL access control error: Insufficient privileges to operate on table 'testtable'
I also tried
GRANT OWNERSHIP ON "DBTEST"."SCHEMATEST"."testtable" TO ROLE roletest;
it gives error
SQL execution error: Dependent grant of privilege 'SELECT' on securable "DBTEST"."SCHEMATEST"."testtable" to role 'SYSADMIN' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html#examples
In a single step, revoke all privileges on the existing tables in the mydb.public schema and transfer ownership of the tables (along with a copy of their current privileges) to the analyst role:
grant ownership on all tables in schema mydb.public to role analyst copy current grants;
Grant ownership on the mydb.public.mytable table to the analyst role along with a copy of all current outbound privileges on the table:
grant ownership on table mydb.public.mytable to role analyst copy current grants;
Only the owner of an object can alter that object.
When changing ownership you need to use one of the revoke/copy grants options
I need to create a user login
who has read access to tables/views
who has create/alter view access
who does not have create/alter table access
Probably the easiest way to do this is to make them a member of the [db_datareader] role, so the can SELECT any data from tables/views.
Then, you will need to create them a new schema to create their views in. Unfortunately, CREATE VIEW and ALTER VIEW also require ALTER SCHEMA permission, which is rather high privilege, and can allow the user to alter tables or even drop them.
So, rather than grant them ALTER SCHEMA on the [dbo] schema (where I assume your tables are), create them their own schema and let them go nuts in there. Also, DENY them alter permission on the [dbo] schema so they cannot inadvertently do bad things...
The code (SQL 2012) is:
-- add Login_Name to the [db_datareader] role
ALTER ROLE [db_datareader] ADD MEMBER [Login_Name];
go
-- Now create them a Schema
create schema [UserViews];
-- Now, grant the user alter table, alter view, create table, create view and alter schema on the schema
GRANT ALTER on SCHEMA::[UserViews] to [Login_Name]
go
-- Deny alter on the dbo schema
DENY ALTER on SCHEMA::[dbo] to [Login_Name]
go
-- Now let them create tables (but only in the UserViews schema)
GRANT CREATE TABLE to [Login_Name]
go
I'd like to set up a security situation where my database user ("ApplicationUser") has permission to create, alter and drop views within a schema.
If I execute the statement
GRANT ALTER ON SCHEMA :: MySchema TO ApplicationUser;
And then connect to the database and execute the statement:
CREATE VIEW [MySchema].[MyView] AS SELECT * FROM SomeTable
I get the error message
CREATE VIEW permission denied in database 'MyDatabase'.
Is it possible to configure security the way I want, or must I grant "ALTER" on the whole database? Or something else?
Thanks for your help!
create schema myschema authorization ApplicationUser
GO
grant create view to ApplicationUser
GO
To do this you need to either change the authorization of the schema, which may have other consequences, or use something like a database DDL trigger.
For an existing schema do:
alter authorization on schema::myschema to ApplicationUser
Like I say, this way should be done with caution. For the other way http://msdn.microsoft.com/en-us/library/ms186406(v=sql.105).aspx
I was able to do this by...
Granting a create view/select permission on the database to a role
Grant alter permissions to that role for the schemas I want to have views
Deny alter permission to that role for the schemas I didn't want to have views
Here was my syntax...
USE [database];
CREATE ROLE [role];
GRANT SELECT TO [role];
GRANT CREATE VIEW TO [role];
GRANT ALTER ON SCHEMA::[schema 1] TO [role];
DENY ALTER ON SCHEMA::[schema 2] TO [role];
--TEST
/*
EXECUTE AS USER = '[user w/role]';
CREATE VIEW [schema 1].test AS (select 'test' as 'test');
DROP VIEW [schema 1].test
CREATE VIEW [schema 2].test AS (SELECT 'test' AS 'test');
DROP VIEW [schema 2].test
REVERT
*/
I'd like to allow some users to create tables in a particular schema, but not be able to create tables in other schemas. How can I achieve this?
I see the CREATE TABLE help says
Requires CREATE TABLE permission in the database and ALTER permission on the schema in which the table is being created.
Does that mean I can give ALTER permission to the schema and restrict ALTER permissions on all other schemas?
In a nutshell, yes.
GRANT CREATE TABLE TO SomeUser
GRANT ALTER ON SCHEMA::AllowedSchema TO SomeUser
DENY ALTER ON SCHEMA::RestrictedSchema TO SomeUser
You can set user to schema owner
I Just need to create table from a user to any user under the same DB.
letz consider 3 Schemas.
Schema_1,Schema_2 and Schema_3.
schema 1 had DBA Privilege.
Is it possible to table in SChema_2 or Schema_3 from Schema_1????
or we need to give this role "CREATE ANY TABLE" also ??
The DBA role should have this privilege in a typical installation - you can see other roles/users who have this by:
select grantee from dba_sys_privs where privilege = 'CREATE ANY TABLE'
As #dpbradly states, Oracle "out of the box" privileges for the DBA role include the 'CREATE ANY TABLE' privilege. You can check this out with the following query (and see all the system privileges granted to this role as well):
SELECT * FROM role_sys_privs WHERE role = 'DBA' ORDER BY PRIVILEGE;
The Oracle data dictionary is your friend.
Ok lets make some things clear
CREATE ANY TABLEis system privilege not role
you can grant any user DBA privileges by simply writing GRANT DBA TO <USER_NAME> WITH ADMIN OPTION;
That being said, schema_1 will be able to create table on any user as he have CREATE ANY TABLE privilege
create table hr.dbaMade_tab
(id number,
name varchar2(20)
);
If you schema_1 grants CREATE ANY TABLE then schema_2 and schema_3 will be able to create table to any table.
Do not grant DBA role to anyone. Make new role and give it necessary privileges and grant that role to other users. In your case schema_2 and schema_3. Hope that helps.