There is a change in data type of e one column from NUMBER(4) to VARCHAR2(4).
DBA did the conversion of exiting values.
Now When we are trying insert the record into table using proc * c code it is giving error "ORA-01031: insufficient privileges".
From SQLPLUS we are able to insert the records. After sometime problem gets disappeared. Once DBA rebuild the table and problem disappeared.
This problem occurs after every time we refresh the testing environment with new changes.
Run this line:
grant insert on [table] to [user]
change [table] to your table name and change [user] to your user.
There are some possibilities.
Double check your table privileges by running the following SQL command:
SELECT *
FROM dba_tab_privs tp
WHERE tp.owner = '<YOUR_OWNER>'
AND tp.table_name = '<YOUR_TABLE_NAME>';
In the case your privilege is granted through a role make sure the role is enabled by checking that the GRANTEE above, in this query below, is shown with the attribute "DEFAULT_ROLE" = YES.
SELECT * FROM dba_role_privs rp WHERE rp.grantee = '<USER_RUNNING_THE_INSERT>';
If it's not, and assuming there is no security issues with your DBA and application design, you can enable it by running this:
alter user <YOUR_USER_RUNNING_THE_INSERT> default role all;
Then again, make sure if you're recreating the table, that every time you drop it and create again, you run your grants accordingly.
Related
I have created a new user 'u' using my 'security_admin' role, and assigned role 'r' (which already has some select/usage permission on few tables) to the user. Now I want add more permissions to the role. I have ran below statement:
grant select on all tables in schema db_name.schema_name to role r;
The above statement gives necessary permission to the user 'u', i have checked with show grants to role r statement. However the granted permission is valid only for one day, the next day the user does not have the permission that is granted using above statement. It keeps happening for sometime. I do not know what the problem is. I do not have any automated SQL script to recreate users & grants daily.
If you could share the actual error message you get, that would be helpful for us to understand where the problem lies. But I suspect that it's just a case of not having access on FUTURE TABLES (tables that has been created after the grants was applied).
These commands should cover you:
use role securityadmin;
grant usage on database db_name to role r;
grant usage on schema db_name.schema_name to role r;
grant select on all tables in schema db_name.schema_name to role r;
grant select on future tables in schema db_name.schema_name to role r;
One plausible scenario is that tables are recreated with CREATE OR REPLACE TABLE command. It could be checked using query history view.
SELECT *
FROM snowflake.account_usage.query_history
WHERE DATABASE_NAME = 'DATABASE_NAME_HERE'
AND QUERY_TEXT ILIKE '%CREATE%OR%REPLACE%TABLE%'
ORDER BY START_TIME DESC;
In such case the permissions may not be preserved, unless specyfing COPY GRANTS option.
Optional parameters:
COPY GRANTS
Specifies to retain the access privileges from the original table when a new table is created using any of the following CREATE TABLE
variants:
CREATE OR REPLACE TABLE
CREATE TABLE … LIKE
CREATE TABLE … CLONE
I have implemented row level security in SQLServer in Person table (to meet GDPR requirements) so that a basic user can see only subset of personal records. The
Person table has some data (RFID tag) that must be unique in the system. So my app checks that there is no duplicate RFIDtag.
How to do this check when RLS is on, because the query only sees a subset of rows, but the RFID must be globally unique ? What could be the best way to run this query with temporarily disabling RLS ?
My first idea is to use a stored function, to perform the check. The function executed as 'sa' user sa could see all rows. Any other (simpler) ideas ?
The UNIQUE index is the safest approach, like said in #Jeroen's comment.
Disabling row level security can be needed in other contexts, though. When needed, my suggestion is:
Create an 'admin' user just for this (CREATE USER admin WITHOUT LOGIN;)
Include logic in your validation function to account for this user:
CREATE FUNCTION Security.fn_securitypredicate(#param as VARCHAR(100))
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS Result
WHERE
/* Your logic here */
OR
USER_NAME() = 'admin' ;
This way, when you are impersonating 'admin' user all records are accessible. Any other user, your row level security logic still applies.
To impersonate the user when running a query:
EXECUTE AS USER = 'admin';
SELECT * FROM MyTable;
REVERT; -- Returns to the original user context
I've been reading many answers but I am too weak at TSQL to filter out what I need.
I created a contained user for 1 DB...
CREATE USER appuser WITH PASSWORD = 'strongpwd';
So I need to allow a user in to read only the contents of 1 table - tableA (there are others in the DB) and do absolutely nothing else in the DB.
I do not want to affect any other users. I just want the user to be able to access the DB via say SSMS, see only tableA (well this is not that important), read it.
There are two ways one is to directly grant explicit SELECT only on Table 1 and the second one is to create a role, grant SELECT to role and addd the user to the role. Typically second way is the preferred way and can be done as below
CREATE ROLE [role_name]
GRANT SELECT ON [Table] to [role_name]
EXEC sp_addrolemember '[role_name]', 'appuser'
I am new to databases. Here I have logged in the user account:System
I then create a new user raj using the following command
create user raj identified by raj
Then I connected to the user raj using following command
grant connect to raj
Here I am granting privileges on the table client_master to raj
grant all on client_master to raj
Now I want to select the contents of table client_master
select * from raj.client_master
but it is giving an error that such table does not exist.
A quick search on google and you would find out that the select right is as simple as select.
grant select on client_master to raj;
However, it is not the real problem as when executing this command grant all on client_master to raj the select privilege is already included.
So here are the possibilities why you get this error :
The table does not exist (you need to create it).
It is in another schema, and you did not specify it.
You made a typo when writing client_master.
My guess is that you created the table in sys schema (which is really a bad idea btw) so the problem is the option 2 in the one I listed.
Try
select * from sys.client_master;
Note that if you don't want to always specify the prefix, you can create a synonym.
create synonym raj.client_master for sys.client_master;
Then
select * from client_master;
Would work.
Try running below command -
GRANT EXECUTE ON Find_Value TO smith;
This may help you to resolve your issue.
I am trying to set up the trigger in a way that when the administrator (not users) make any changes to the database, all the changed data with the administrator name and time gets saved in the audit table (already created) that has all the possible fields.
I have created triggers on each table for any sort of updates in those tables. The trigger saves the information in audittable. However, i want to restrict this action for administrators only. Like I only want to keep the record of changes made by adminsitrators with their name, time and changes made by them(I have a separate table for adminsitrator names, username, pw and all that).
Can someone please help me with that.
Thanks
To get the user you may use:
server level (login)
select system_user , suser_sname() , suser_sid()
db level (db user)
select session_user , current_user , user , user_name() , user_id()
Than and check that this user is admin or not in that additional table.
You can try one of these two functions, depending on what you define as "administrator".
SELECT IS_MEMBER('dbo'), IS_SRVROLEMEMBER('sysadmin')
The IS_MEMBER function evaluates the database role and the IS_SRVROLEMEMBER evaluates the server role. So, if you want to know if the user is a database admin, you would use IS_MEMBER. These will work for user-defined roles as well as built-in roles.
UPDATE:
Here's an example of the trigger that would add data to the audit table when a server administrator inserts data to the table.
CREATE TRIGGER trg_InfoUpdates ON tblCustomerInfo
FOR INSERT AS
IF IS_SRVROLEMEMBER('sysadmin') = 1
BEGIN
INSERT INTO tblAuditLog (CustomerID)
SELECT CustomerID
FROM inserted
END
;