Can I grant select permission on all database to a user-defined role?
I create a user-defined server role, and add logins as members of it.
I want these logins can view all databases and have select permission on all databases.
how should I do?
exec sp_addrolemember db_datareader, <User-Defined Role>;
This is equivalent to granting SELECT on all tables in the DB.
Related
I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?
Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;
It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.
I'm trying to setup a Snowflake role that have access to all current and future tables in a given database:
create role if not exists MYROLE;
grant usage on database MYDB to role MYROLE;
grant usage on all schemas in database MYDB to role MYROLE;
grant usage on future schemas in database MYDB to role MYROLE;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
the SHOW FUTURE GRANTS IN DATABASE MYDB; confirms that the grants are there:
created_on privilege grant_on name grant_to grantee_name grant_option
... USAGE SCHEMA MYDB.<SCHEMA> ROLE MYROLE false
... SELECT TABLE MYDB.<TABLE> ROLE MYROLE false
But they don't seem to have any effect.
I have a test schema MYDB.TEST and when I create tables with other role OTHERROLE the MYROLE can't "see" them.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
grant select on future tables in database MYDB to role MYROLE;
use role otherrole;
CREATE OR REPLACE TABLE mydb.test.ruben_test AS (
SELECT * FROM (values (1,2),(3,4),(5,6)) x(id,value)
);
select * from mydb.test.ruben_test; -- OTHERROLE can see table
use role myrole;
select * from mydb.test.ruben_test; -- SQL compilation error: Object 'MYDB.TEST.RUBEN_TEST' does not exist or not authorized.
use role accountadmin;
grant select on all tables in database MYDB to role MYROLE;
use role myrole;
select * from mydb.test.ruben_test; -- now it can see it
The grant select on future tables in database MYDB to role MYROLE; seems to be ignored.
If I use grant select on future tables in schema MYDB.TEST to role MYROLE; then it will work, but I really don't want to have to write a grant for each schema in the db.
I'm opening a support case with Snowflake but in the meantime, is it possible to have a grant in all future table in database or not?
Yes, it's possible. Most likely you have future grants at the schema level and that prevents the future grants at the database level from running as stated in Precedence rule for future grants.
As the future grants can be defined at both the database and schema
level, the schema level grants always take precedence over the
database level grants, the snowflake will ignore the future grants
applied at the database level. Even if the user tries to change the
future grants at the database level and one of the child schemas had a
different future grant defined explicitly then this change will not be
reflected at the schema level, it will be simply ignored without
showing any error.
I'm gIven the problem:
Write a script that creates a user-defined role named VendorMaintenance in the AP database. Give update permissions to that role on the Vendors table and Select permission on the Invoice and InvoiceLineItems table. Assign the VendorMaintenance role to dbMaster.
I've looked through my textbook and came up with this incorrect solution.
USE AP
GO
CREATE SERVER ROLE VendorMaintenance
GO
GRANT UPDATE
ON Vendors
TO VendorMaintenance
GO
GRANT SELECT
ON Invoices
TO VendorMaintenance
GO
GRANT SELECT
ON InvoiceLineItems
TO VendorMaintenance
GO
ALTER SERVER ROLE VendorMaintenance ADD MEMBER dbMaster
GO
It says that VendorMaintenance isn't a user, and its not. but I need to grant these permissions to the role and then assign users to that role. Also is there a better way to write this?
For a user-defined database role, the syntax is as below. The role will be created in the current database context.
USE AP;
GO
CREATE ROLE VendorMaintenance;
GO
CREATE SERVER ROLE creates a user-defined server role, which is used to grant server-scoped permissions rather than permissions on database-scoped objects.
I have permission to create/drop table but don't have permission to grant table to any role.
So when I create table on server I can't select from it.
Is there anyway to create table and specific grant to any role in one statement?
Grant permission to create tables to a specific user in a specific database not only requires CREATE TABLE permissions but also requires ALTER permissions to the schema.
GRANT ALTER ON Schema :: schema-name TO DATABASENAME
GRANT CREATE TABLE TO DATABASENAME
How to grant select/update/insert/execute permission to all tables/procedures in database? Create role?
Because I want to have guests(all select permissions to some tables), users(only select,update,insert permissions to tables) and administrators(all permissions to all objects in database)
Approach 1) Useful when there are large no. of users.
GRANT SELECT, INSERT, DELETE, UPDATE on SCHEMA::SchemaName to Principal --often DBO for Schema
For the Principal, it is FAR preferrable to use a role and not a single user, Unless you just have a few users, it usually simplifies your management.
Now, if a utility schema is added, the user has no access to the data, but, if a table is added to the SchemaName schema, they automatically have access.
Approach 2) useful in case of few users.
adding the user to db_datareader and db_datawriter roles if you need access to all tables in the database. Its short & simple.
USE [DBName]
GO
EXEC sp_addrolemember N'db_datawriter', N'UserName'
GO
EXEC sp_addrolemember N'db_datareader', N'UserName'
Reference : http://social.msdn.microsoft.com/Forums/en/transactsql/thread/1489337c-56c9-4bb8-9875-3a75be7596be
I would create roles. Or specifically one role because there's already roles for what you describe as "guests" (i.e. the public role) and administrators (i.e. db_owner role). But let's make it real.
create role [Users];
grant select on tbl_1, tbl2, tbl3 to [public];
grant select, insert, update, delete to [Users];
exec sp_addrolemember #membername = 'yourdomain\Users', #rolename='Users'
exec sp_addrolemember #membername = 'yourdomain\Admins', #rolename='db_owner'
--no need to add people to public; everyone's a member by default