The entity "EmailPreferencesAutoBcc" is accessible via Tableau connection to SFDC and the entity is a standard entity for User object.
When Accessed via SOQL on SOAP interface the following Error is throw.
No such column 'EmailPreferencesAutoBcc' on entity 'User'.
This is the corresponding SOQL i'm using:
select EmailPreferencesAutoBcc from User limit 10
You should check that User, which you use for SOAP call, has permission to Read this field.
Check Set Field Permissions in Permission Sets and Profiles to find out where to check permissions.
Related
Pipe execution works fine from user role using snowsql and GUI confirming no permissions issues on the pipe from the given role.
But while calling via snowpipe rest API below error is encountered while using same role.
snowflake.ingest.error.IngestResponseError: Http Error: 403, Vender Code: 390403,
Message: Not authorized to manage the specified object. Pipe access permission denied
Any clue in this will be very appreciated.
The user that is used by Snowpipe REST API needs to have the role with specific permissions for the pipe assigned as default_role.
This is how default role is assigned:
ALTER USER <user> SET DEFAULT_ROLE=<role>;
where is the role used for Snowpipe operations.
This is basically related to how RBAC works:
Every active user session has a “current role,” also referred to as a primary role. When a session is initiated (e.g. a user connects via JDBC/ODBC or logs in to the Snowflake web interface), the current role is determined based on the following criteria:
- If a role was specified as part of the connection and that role is a role that has already been granted to the connecting user, the specified role becomes the current role.
- If no role was specified and a default role has been set for the connecting user, that role becomes the current role.
- If no role was specified and a default role has not been set for the connecting user, the system role PUBLIC is used.
See for more details here
Specifically for Snowpipe REST API usage the following permissions are required to be granted to the role:
See more details here
I am tasked with creating a generic LDAP interface that will query groups and users. We are doing our initial testing against Active Directory, but the thought occurred to me that LDAP is just a way to query a directory database. The actual fields returned by any directory service (AD, Novell, etc) might be different.
For example, if I query a group or user through LDAP, one of the fields I get back is objectGUID, and if I use that value in subsequent requests for an individual object, that field is used to uniquely identify the LDAP record. Other fields returned by AD are cn, distinguishedName, etc.
Would any directory service that provides an LDAP interface use all the same fields? Or are the fields for each dependent upon the service being queried through LDAP?
It entirely depends on the schema that is defined in the LDAP server.
The attributes of certain objectClass could also be different from server to server.
For ex : In Novell 'groupOfUniqueNames' objectClass has 'member' attribute to store its children, where as the same 'groupOfUniqueNames' objectClass has 'uniqueMember' attribute to store its children in openDJ server.
More over some LDAP servers could use 'groupOfNames' objectClass instead of 'groupOfUniqueNames' for groups. So it entirely depends on the schema defined for that LDAP server.
i googled it and find nothing. Short story, i created a user and granted to a table in my SyBase. but when i try
select * from table1
it didn't work. Error show Permission denied: you don't have permission to select from "table1" and i try add dbname before table name like this and it works :
select * from dbname.table1
i suspect that user default database is something else so i want to set dbname to his default database. Anyone know how to do this?
This has nothing to do with database names (or login policies). Given your comment that "dbname" is actually the user who owns the table, here's what's happening.
When you specify a table name without an owner, the server has to figure out which table you mean. It first looks for a table that you own with that name. If it doesn't find one, it looks for tables owned by any groups that you are a member of. I suspect that one of these groups has a table named "table1" that you do not have permission to select from.
When you specify a table name with an owner, the server knows exactly which table to use. Since you do have permission to select from that table, you get the results you want.
IQ doesn't have default databases/schemas. Instead it uses login policies. Each database has a login policy assigned to it, which can be altered. You can also create custom login policies.
When you create a user account with out specifying a login policy, it automatically gets the root login policy.
For more information, check the following SAP Sybase IQ docs:
Intro to IQ: Managing Users and Groups
System Admin Guide V1: Managing User IDs and Permissions
Using a view or procedure is a useful method. That said, to establish a "default" schema in (IQ 15.x) one would use groups. Essentially, one grants group to the schema owner and makes the individual login accounts (or other groups) members of that group. Note that this only gives the user access to the schema--that is, it eliminates the need to preface the object with the schema/owner name (unless there are object name conflicts only resolvable with explicit schema.object naming). This does not include a grant of permissions. None of the implicit table-owner related privileges will inherit. However, as the schema/owner is now also a group, permissions could be granted at that level.
See: http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc00170.1540/doc/html/san1288042708174.html (Managing User ID's and permissions). Be warned: this material generally requires some close reading and experimentation before it becomes useful.
As I understand it, this method is complementary to (functionally replaced by) the new role-based model in IQ 16. However, as I am still feeling my through IQ 16, there is probably a great deal more to be said, and I am not ready to comment just yet.
My team has a service deployed internally, and part of this service is a list of client accounts stored in a sql table. SSRS is hosted on another server and we have integration jobs which [will eventually] pull these client accounts (along with additional info) from our 3 production environments to this SSRS database.
Also on this SSRS database, I’m creating a new table that will be a mapping of domain accounts and client accounts. I need this table so I can filter my report based on which client accounts the logged on user is allowed to see.
Pretty simple so far.
The next requirement of this is that I need to restrict access to the report itself. I understand I could normally use a security group to do this, but that would result in two separate locations to manage permissions for one resource and this is what I want to avoid.
The solution I’m looking into is to create a security extension to validate the logged in user against the database, allowing them access to the folder/report if they exist in the table. Once in, I can then use that same table again to filter their results.
What I’m not sure of is 1) if this is the best solution and 2) can I use a security extension for just MY portion of the site. There are many other users and reports on this site that I don’t deal with and don’t want to conflict with those.
Could you fill the DB table automatically from AD? Then you can use the standard windows security, but still only do the administration in Active Directory.
link text
You could set up an internal report parameter, called something like UserID, and set its default value to be the non-queried expression =User!UserID . (This user ID can be selected from the list of globals in the Edit Expression dialog.)
You could then add a cartesian/cross join to your users table in your query, with a selection condition based on your internal report parameter - eg. ...and UserTable.ID = #UserID . This would ensure that no records were returned if an unauthorised user was running the report.
Note that the User!UserID field will only return the user for interactively-run reports - in scheduled reports, this will be the account for the scheduling service.
Can't you restrict access to the report by using a security group (either in it's own folder or report level permissions). Use windows authentication in your datasource connection and filter you report retrieving your username using the sql function ORIGINAL_LOGIN?
Using Shiro we have a great security framework embedded in our enterprise application running on GF. You define users, roles, permissions and we can control at any fine-grain level if a user can access the application, a certain page or even click a specific button.
Is there a recipe or pattern, that allows on top of that, to restrict a user from seeing certain data ?
Sample: You have a customer table for 3 factories (part of one company). An admin user can see all customer records, but the user at the local factory must not see any customer data of other factories (for whatever reason).
Te security feature should be part of the role definition.
Thanks for any input and ideas
Add one or more security tables to your application that contain UserID and a foreign key to the Primary Key of the table containing the resource to be securitized.
Create records in the new table for each User/Resource combination that you want to grant access.
Then, when the resource is requested from the database, just join the security table to the resource table using the Resource keys, and filter on the UserID of the security table for the user that is currently logged in. This will trim the output, removing any records for which the user does not have access.
It is relatively straightforward to create forms that allow you to set up the new records in the security table granting users access to resources.
NOTE: In the specific case that you mentioned, you just need a field in the User database that holds the value of the Primary Key in the customer database for which the user has access.