What could be [ OBJECT :: ][ schema_name ]. object_name in the
GRANT <permission> [ ,...n ] ON
[ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
TO <database_principal> [ ,...n ]
[ WITH GRANT OPTION ]
[ AS <database_principal> ]
Could it be a table or view?
OBJECT here refers to any of the things that exist in sys.objects. From the documentation for sys.objects, that could be any of
AGGREGATE_FUNCTION
CHECK_CONSTRAINT
CLR_SCALAR_FUNCTION
CLR_STORED_PROCEDURE
CLR_TABLE_VALUED_FUNCTION
CLR_TRIGGER
DEFAULT_CONSTRAINT
EXTENDED_STORED_PROCEDURE
FOREIGN_KEY_CONSTRAINT
INTERNAL_TABLE
PLAN_GUIDE
PRIMARY_KEY_CONSTRAINT
REPLICATION_FILTER_PROCEDURE
RULE
SEQUENCE_OBJECT
SERVICE_QUEUE
SQL_INLINE_TABLE_VALUED_FUNCTION
SQL_SCALAR_FUNCTION
SQL_STORED_PROCEDURE
SQL_TABLE_VALUED_FUNCTION
SQL_TRIGGER
SYNONYM
SYSTEM_TABLE
TABLE_TYPE
UNIQUE_CONSTRAINT
USER_TABLE
VIEW
Mind you, not every permission makes sense for every type of object. For instance, you can't grant execute permission to a table. Indeed, not every object type can be the target of a grant (primary keys, for instance). The documentation for grant has a nice list near the bottom of each type of securable and link to a documentation page for what permissions can be granted to it.
I'm not entirely sure if this is what you're asking, but the OBJECT :: keyword here isn't meant to be replaced by some sort of identifier such as TABLE ::, it's meant to be specified literally as OBJECT ::. It's used to indicate that you want to grant permissions to an object as opposed to, say, a schema. According to this page, an object is any schema-level securable, such as a table, view, stored procedure, sequence, etc.
Also according to that page, the OBJECT :: keyword is optional if schema_name is specified. That leads me to believe that the need for specifying OBJECT :: is simply to make sure the database it's what type of entity the permissions are being granted to, since permissions can be granted to objects, schemas, server principles, and more.
Related
Was wanting to add full access for a developer to a database.
I wanted them to be able to have full control over it...including deleting it if they wanted.
Somehow I stumbled upon two ways. Are these the right ways??
What's the difference of between access/permissions between the both commands?
What is the correct command to accomplish what I want?
Thanks.
Command 1
USE [testdb1]
GO
ALTER USER [john] WITH DEFAULT_SCHEMA=[dbo]
GO
Command 2
USE [testdb1]
GO
EXEC sp_addrolemember N'db_owner', N'john'
GO
According to the latest sp_addrolemember documentation, sp_addrolemember should be avoided and ALTER ROLE should be used instead.
This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature. Use ALTER ROLE instead.
There is no difference between the two as of SQL Server 2012.
alter role [RoleName] add member [MemberName];
is equivalent to
exec sp_addrolemember N'RoleName', N'MemberName';
References:
https://msdn.microsoft.com/en-us/library/ms189775.aspx
https://msdn.microsoft.com/en-us/library/ms187750.aspx
MSDN is a great source for answering that:
sp_addrolemember
Adds a database user, database role, Windows login, or Windows group
to a database role in the current database.
ALTER USER
Renames a database user or changes its default schema.
Note also the syntax:
sp_addrolemember [ #rolename = ] 'role',
[ #membername = ] 'security_account'
-- SQL Server Syntax
ALTER USER userName
WITH <set_item> [ ,...n ]
[;]
<set_item> ::=
NAME = newUserName
| DEFAULT_SCHEMA = { schemaName | NULL }
| LOGIN = loginName
| PASSWORD = 'password' [ OLD_PASSWORD = 'oldpassword' ]
| DEFAULT_LANGUAGE = { NONE | <lcid> | <language name> | <language alias> }
| ALLOW_ENCRYPTED_VALUE_MODIFICATIONS = [ ON | OFF ]
In other words, using sp_addrolemember, you could only add database user, database role, Windows login, or Windows group in the current database.
But using ALTER USER, you could alter its name, its default schema, its login name, its password, etc... which certain is unable to be done by using sp_addrolemember.
Check the two MSDN links. They are great source for info using SQL Server
As for your case, you probably want to use sp_addrolemember, provided that you already have a role which could give the user the access that they need (most probably db_owner).
USE [testdb1]
GO
EXEC sp_addrolemember N'db_owner', N'john'
GO
When you alter default schema of a user, it does not mean that they get new role - but they get new default schema, and the accessibility will depend on the security rules in the new schema for the existing user role. It could give you what you want, depends on the security rules for the user in the default schema it has.
I've come across this mystery in some SQL Server code I've inherited:
GRANT INSERT TO SomeUserRole
I would expect there to have to be a table or view to be specified. Running this works fine but doesn't appear to do anything. The role doesn't have rights to insert into any tables. Any ideas? I'd like to get rid of this if possible but if it is somehow giving the role some access, I'll have to keep it.
Thanks
Joe
The grammar at MSDN shows that the only required clauses are GRANT TO when used at the database level. There is no syntax at that level that restricts it to a specific table.
GRANT <permission> [ ,...n ]
TO <database_principal> [ ,...n ] [ WITH GRANT OPTION ]
[ AS <database_principal> ]
<permission>::=
permission | ALL [ PRIVILEGES ]
<database_principal> ::=
Database_user
| Database_role
| Application_role
| Database_user_mapped_to_Windows_User
| Database_user_mapped_to_Windows_Group
| Database_user_mapped_to_certificate
| Database_user_mapped_to_asymmetric_key
| Database_user_with_no_login
I want to change name of the system table in my database is it possible? Probably I shouldn't change it but I'm curious.
When I execute sp_rename I get the following error:
Msg 15001, Level 16, State 1, Procedure sp_rename, Line 404
Object 'cdc.[dbo_CdcTest_CT]' does not exist or is not a valid object for this operation.
Edit:
I want to change name of tables created by Change Data Capture because I want to disable CDC mechanism for table and still have data - I know that I can create additional table and move there data from CDC table but it's easier to change name of the CDC and then disable cdc for specified table.
No you cannot change the name of the system tables. However you can refer it with a different name.
You can use synonyms for that:
CREATE SYNONYM [ schema_name_1. ] synonym_name FOR <object>
<object> :: =
{
[ server_name.[ database_name ] . [ schema_name_2 ].| database_name . [ schema_name_2 ].| schema_name_2. ] object_name
}
Also to mention that sp_rename
Changes the name of a user-created object in the current database.
This object can be a table, index, column, alias data type, or
Microsoft .NET Framework common language runtime
I'm trying to delete just one data from my DB, but, when I write the command I keep getting that there's some syntax error, could you tell me where is the error?
This are the commands I've tried:
DELETE FROM database_userprofile WHERE user.username = 'some';
ERROR: syntax error at or near "."
LINE 1: DELETE FROM database_userprofile WHERE user.username = 'some'...
DELETE FROM database_userprofile USING database_user WHERE user.username="some";
ERROR: syntax error at or near "."
LINE 1: ... database_userprofile USING database_user WHERE user.username=...
Hope you can help me
Your query doesn't make any sense.
DELETE FROM database_userprofile WHERE user.username = 'some';
^^^^
Where'd user come from? It isn't referenced in the query. Is it a column of database_userprofile? If so, you can't write user.username (unless it's a composite type, in which case you would have to write (user).username to tell the parser that; but I doubt it's a composite type).
The immediate cause is that user is a reserved word. You can't use that name without quoting it:
DELETE FROM database_userprofile WHERE "user".username = 'some';
... however, this query still makes no sense, it'll just give a different error:
regress=> DELETE FROM database_userprofile WHERE "user".username = 'some';
ERROR: missing FROM-clause entry for table "user"
LINE 1: DELETE FROM database_userprofile WHERE "user".username = 'so...
My wild guess is that you're trying to do a delete over a join. I'm assuming that you have tables like:
CREATE TABLE "user" (
id serial primary key,
username text not null,
-- blah blah
);
CREATE TABLE database_userprofile (
user_id integer references "user"(id),
-- blah blah
);
and you're trying to do delete with a condition across the other table.
If so, you can't just write user.username. You must use:
DELETE FROM database_userprofile
USING "user"
WHERE database_userprofile.user_id = "user".id
AND "user".username = 'fred';
You'll notice that I've double-quoted "user". That's because it's a keyword and shouldn't really be used for table names or other user defined identifiers. Double-quoting it forces it to be intepreted as an identifier not a keyword.
Due to documentation, the syntax for delete in PostgreSQL 9.1 is:
[ WITH [ RECURSIVE ] with_query [, ...] ]
DELETE FROM [ ONLY ] table [ * ] [ [ AS ] alias ]
[ USING using_list ]
[ WHERE condition | WHERE CURRENT OF cursor_name ]
[ RETURNING * | output_expression [ [ AS ] output_name ] [, ...] ]
So you need to specify the "table_name" after DELETE command, not the "database_name".
You can delete data only if you are logged into the database.
You got
ERROR: syntax error at or near "."
because in the WHERE section you can specify the target table or the tables in the usinglist.
You may also get this error when copy-pasting a query from Eclipse to pgadmin. Somehow, a strange symbol may be inserted. To avoid this error, paste it in a simple text editor first (like notepad), then cut it from there and paste it in pgadmin.
I need to make some permission changes on a MS SQL server (2005) database. Some tables read only for all but dbo, some tables read-write for all etc. In the past I used the management program that came on the SQL server disk. That is not an option for me right now. I cannot find a place in visual studio to alter table permissions. Does visual studio have that feature?
Can you download SQL Server Management Studio Express?
GRANT for tables:
GRANT <permission> [ ,...n ] ON
[ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ]
TO <database_principal> [ ,...n ]
[ WITH GRANT OPTION ]
[ AS <database_principal> ]
<permission> ::=
ALL [ PRIVILEGES ] | permission [ ( column [ ,...n ] ) ]
<database_principal> ::=
Database_user
| Database_role
| Application_role
| Database_user_mapped_to_Windows_User
| Database_user_mapped_to_Windows_Group
| Database_user_mapped_to_certificate
| Database_user_mapped_to_asymmetric_key
| Database_user_with_no_login
example:
GRANT SELECT ON dbo.YourTable TO YourUser
GRANT INSERT ON dbo.YourTable TO YourUser
GRANT DELETE ON dbo.YourTable TO YourUser
Visual Studio 2008 does not have this ability and I don't see it included in the future editions either.
you could always use the command line to alter the permissions.