Query Postgresql admin privileges - database

For example I give CREATE priviliges on Postgresql database to Public
postgres=# GRANT CREATE
postgres-# ON DATABASE postgres
postgres-# TO public ;
GRANT
Or I can give such admin privileges at Postgresql database to any roles or any users
My questions is ; How can I query which users or roles have any admin priviliges
for Postgresql database security control
Thanks in advance
Anil Akduygu

The problem is that admin access is a pretty vague term. Admin access for what?
pg_database.datacl stores the permissions for a database
pg_class.relacl stores the permissions for a relation
Similar fields exist in many other system atalogs
On top of this you want to look at ownership and user implications so pg_roles is important.

Related

What are the minimal role attributes required for odoo day-to-day use?

Most tutorials to setup odoo ERP create a superuser role for the web app user, which is odoo everywhere too, except in the documentation where it is said:
For the database management screen to be completely non-functional, the PostgreSQL
user needs to be created with no-createdb and the database must be owned by a
different PostgreSQL user.
Warning: the PostgreSQL user must not be a superuser
But I don't manage to find what are the minimal roles required in order to fulfil the minimum rights principle for day-to-day role, so excluding administration (updating, adding modules).
Any tutorial that recommends using a superuser is untrustworthy.
To create a role odoo that can create anything it wants in database mydb, you could connect to mydb and run:
/*
* It would be better to create the role without password
* and set it in a more secure fashion later.
*/
CREATE ROLE odoo LOGIN PASSWORD 'whatever';
GRANT CREATE ON DATABASE mydb TO odoo;
CREATE SCHEMA myapp AUTHORIZATION odoo;
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
ALTER DATABASE mydb SET search_path = myapp, public;
The creation of a separate schema for your application objects is not absolutely necessary, but a good idea in my opinion.

How to create snowflake security admin role and at same time restrict the permission only on one database

Environment: snowflake database.
i am trying to find a way to create a role which have security admin permission but should limit the permission only to specific database. is this doable or not? if so, anyone can help me on this? thanks so much.
Thanks, Alex
SECURITYADMIN is a role created by default in Snowflake and a lot of his permissions are not database-related (for example role and user management). Indeed most of the database-related grants belongs to SYSADMIN role.
So if you want to create a custom role having limited permissions on a specific database. You should list the permission which are database related and grant this permissions to the custom role.
For example if you want to give all privileges to a role on a specific database you can use :
GRANT ALL PRIVILEGES ON DATABASE my_db TO ROLE my_custom_role;
Roles are account-level, not db-level objects. So I am guessing you are trying actually to do the same role mgmt that SECURITYADMIN does, but at db-level. In that case:
use role SECURITYADMIN;
create role SECURITYADMIN_DB1;
grant create user, create role to SECURITYADMIN_DB1;
After that create Access Roles for your db:
https://docs.snowflake.com/en/user-guide/security-access-control-considerations.html#aligning-object-access-with-business-functions
Then assign all access roles to the custom SECURITYADMIN_DB1 role, so your role will manage that particular db only.

Azure SQL database - application user setup

I am using Azure SQL database with sharding (single tenant approach). So, when the application connects to DB it goes into Shard and creates a proper connection to the tenant's DB (tenant is identified by login name).
However, we've been using a server admin credentials for that on a development stage.
Now, I'd like to create a separate application user with much more limited permissions compared to server admin.
In a very general case, what I want is to have a user that can connect to the Shard Map and figure out a connection string to any of the Shards, but have different permissions for each of the shards. For example, some application user may need to be able to connect to DB_1 with full read-write permissions, to DB_2 with read-only permissions and no permissions to connect to DB_3.
In a simpler case I just need a user that doesn't have any update permissions to ShardMap and other internal databases, but has a normal read/write/execute access to all tenant databases(shards).
I was googling around and din't find any good recipe how to do that, what are the best practices, etc.
I'd appreciate if someone could answer me or point to a docs.
Thank yuo!
In each database create a role for the Application Users, and grant the minimal permissions needed for the application to run. Granting permissions on the Schema level is a good choice here, as you don't have to manage object-level permissions.
create role ApplicationUsers;
grant select, insert, update, delete, execute on schema::dbo to ApplicationUsers;
Then if you want a single identity to access all the databases, create a login with a password. Then in each Tenant database create a user mapped to that login.
--create a server-level Login
create login AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
--add a user mapped to that login in each database
create user AppUser for login AppUser;
alter role ApplicationUsres add member AppUser;
Or create a user in each database with a different password or a database user mapped to an Azure Active Directory identity.
create user AppUser with Password ='asdfAds01980(*)(*)(#&$)##';
alter role ApplicationUsers add member AppUser;
or
create user [tenant123user#mydomain.onmicrosoft.com] from external provider;
alter role ApplicationUsers add member [tenant123user#mydomain.onmicrosoft.com];

Grant privileges to specific database for the user

I am learning oracle and PL/SQL. I have created a database called "PRACTICE" and created a user called "MITHRA" by connecting as a SYS.
My question is i want to grant privileges to the user "MITHRA" for the specific database "PRACTICE". The user "MITHRA" can able to do all activities like create, drop, alter etc.. only in "PRACTICE" database.
Please suggest me how to do this.
Oracle can only host one database so what you are asking for will essentially grant root privileges to this user, including drop database. This should be avoided on production from obvious reasons.
So in order to grant full access to user mithra:
Connect as sys and run the following command -
Grant dba to mithra;
That should give the user mithra all possible privileges for that database.
You can also use the grant command the grant any distinct privileges.
Just to be sure that we speak in the same terms.
Is the "PRACTICE" database or schema? If it is DATABASE then you should grant DBA, if it is schema then Oracle does not have statements to grant rights to schemas (only system and object priveleges). Reading your question makes me think that you come from MSSQL where you can grant to a specific user gratns to specific database, in Oracle it is a little bit different - to make an analogy - you do not have databases but schemas.

Pervasive SQL GRANT syntax

I've been Googling for half an hour now, and can't seem to find the right place...
How do I add a user and grant that user access to all tables in the database? Found some GRANT snippets, but there is no mentioning of a password, so I assume that can be done on existing users only... But what about adding that user, and password identification?
PS: Not sure if it belongs more here, or on serverfault (neither has this answer already)... So feel free to move it, if it should be on serverfault instead.
It is two command in Pervasive SQL as well.
CREATE USER jsmith WITH PASSWORD password
GRANT SELECT ON * TO jsmith
Full documentation on both are in the SQL Syntax Reference guide on Pervasive's site.
One thing to note, most PSQL databases do not have security enabled by default and do not require a user to login. The CREATE USER and GRANT statements will return an error if you try to run them on a database that does not have security enabled.
It's 2 commands: CREATE USER and GRANT after.
From MySQL 5.0 Reference Manual
Normally, a database administrator
first uses CREATE USER to create an
account, then GRANT to define its
privileges and characteristics. For
example:
CREATE USER 'jeffrey'#'localhost' IDENTIFIED BY 'mypass';
GRANT ALL ON db1.* TO 'jeffrey'#'localhost';
Reference

Resources