I Just need to create table from a user to any user under the same DB.
letz consider 3 Schemas.
Schema_1,Schema_2 and Schema_3.
schema 1 had DBA Privilege.
Is it possible to table in SChema_2 or Schema_3 from Schema_1????
or we need to give this role "CREATE ANY TABLE" also ??
The DBA role should have this privilege in a typical installation - you can see other roles/users who have this by:
select grantee from dba_sys_privs where privilege = 'CREATE ANY TABLE'
As #dpbradly states, Oracle "out of the box" privileges for the DBA role include the 'CREATE ANY TABLE' privilege. You can check this out with the following query (and see all the system privileges granted to this role as well):
SELECT * FROM role_sys_privs WHERE role = 'DBA' ORDER BY PRIVILEGE;
The Oracle data dictionary is your friend.
Ok lets make some things clear
CREATE ANY TABLEis system privilege not role
you can grant any user DBA privileges by simply writing GRANT DBA TO <USER_NAME> WITH ADMIN OPTION;
That being said, schema_1 will be able to create table on any user as he have CREATE ANY TABLE privilege
create table hr.dbaMade_tab
(id number,
name varchar2(20)
);
If you schema_1 grants CREATE ANY TABLE then schema_2 and schema_3 will be able to create table to any table.
Do not grant DBA role to anyone. Make new role and give it necessary privileges and grant that role to other users. In your case schema_2 and schema_3. Hope that helps.
Related
In snowflake, I have a table "dbtest"."schematest"."testtable" created by role Accountadmin.
Now i want to alter a column in this table using another role roletest;
I have given all access till table leve to roletest
# using accountadmin roles i have granted all the access
use role accountadmin
use warehouse testwarehouse
# granted database level permission to the role
GRANT USAGE ON DATABASE DBTEST TO ROLE ROLETEST;
# granted schema level permission to the rol
GRANT USAGE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON ALL TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT SELECT ON FUTURE TABLES IN SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
GRANT USAGE, CREATE FUNCTION, CREATE PROCEDURE, CREATE TABLE, CREATE VIEW, CREATE EXTERNAL TABLE, CREATE MATERIALIZED VIEW, CREATE TEMPORARY TABLE ON SCHEMA DBTEST.SCHEMATEST TO ROLE ROLETEST;
# also at table leve i have granted the permissions
GRANT INSERT, DELETE, REBUILD, REFERENCES, SELECT, TRUNCATE, UPDATE ON TABLE "DBTEST"."SCHEMATEST"."testtable" TO ROLE "ROLETEST";
Now when i try
use role roletest;
use warehouse roletest_wh;
alter table "DBTEST"."SCHEMATEST"."testtable" alter column c1 drop not null;
i get the error
SQL access control error: Insufficient privileges to operate on table 'testtable'
I also tried
GRANT OWNERSHIP ON "DBTEST"."SCHEMATEST"."testtable" TO ROLE roletest;
it gives error
SQL execution error: Dependent grant of privilege 'SELECT' on securable "DBTEST"."SCHEMATEST"."testtable" to role 'SYSADMIN' exists. It must be revoked first. More than one dependent grant may exist: use 'SHOW GRANTS' command to view them. To revoke all dependent grants while transferring object ownership, use convenience command 'GRANT OWNERSHIP ON <target_objects> TO <target_role> REVOKE CURRENT GRANTS'.
https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html#examples
In a single step, revoke all privileges on the existing tables in the mydb.public schema and transfer ownership of the tables (along with a copy of their current privileges) to the analyst role:
grant ownership on all tables in schema mydb.public to role analyst copy current grants;
Grant ownership on the mydb.public.mytable table to the analyst role along with a copy of all current outbound privileges on the table:
grant ownership on table mydb.public.mytable to role analyst copy current grants;
Only the owner of an object can alter that object.
When changing ownership you need to use one of the revoke/copy grants options
I created a user ANALYST_USER and granted a role ANALYST.
When I tried to create a table in the TEST_DB, I got a following error message:
Unable to create table TEST.
SQL access control error: Insufficient privileges to operate on schema 'PUBLIC'
Here are the statements I wrote before trying to create a table using the ANALYST_USER account.
USE ROLE SECURITYADMIN;
-- Create Role--
CREATE ROLE ANALYST
-- Database--
GRANT USAGE ON DATABASE TEST_DB TO ROLE ANALYST;
-- Schema--
GRANT USAGE, MONITOR ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT USAGE, MONITOR ON FUTURE SCHEMAS IN DATABASE
TEST_DB TO ROLE ANALYST;
-- Warehouse--
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
GRANT USAGE ON WAREHOUSE TEST_WH TO ROLE ANALYST;
-- Tables/Views--
GRANT SELECT ON ALL TABLES IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT SELECT ON FUTURE TABLES IN DATABASE TEST_DB TO ROLE
ANALYST;
-- User -- GRANT ROLE ANALYST to USER ANALYST_USER;
Does anyone know how to solve this issue?
Following statement solved the issue.
GRANT ALL ON ALL SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
GRANT ALL ON FUTURE SCHEMAS IN DATABASE TEST_DB TO ROLE ANALYST;
I understand this gives "ALL" permissions, so if we want to give only "create table" permission, then we need to use following statement instead:
Grant create table on schema IN DATABASE TEST_DB to role ANALYST;
It is because the role was missing create table rights on the public schema. You just have usage and monitor privileges in your schema grant. So, GRANT CREATE TABLE ON SCHEMA TEST_DB.PUBLIC TO ROLE ANALYST; would have solved your issue.
I have granted USAGE on the schemas and database.
I have granted select on all tables.
Using that role, I can read data from all tables within any schema.
I then grant the permission to create tables in all schemas within that database
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
Yet, when I issue this command (while using DEVELOPERS role), I get an error
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
What am I missing?
Works fine for me (script below). Going to go with what Lukasz commented and that your schema was created later.
use role accountadmin;
create database TEST1_CONTROL;
create schema PDS;
create role DEVELOPERS;
grant role DEVELOPERS to user <your_username>;
GRANT USAGE ON DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT USAGE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
GRANT CREATE TABLE ON ALL SCHEMAS IN DATABASE TEST1_CONTROL TO DEVELOPERS;
use role DEVELOPERS;
CREATE TABLE PDS.ERIC_TEST_TABLE(COUCOU STRING NULL);
Snowflake does offer future grants if you want a role to have access to any new schemas that would be created in the future.
I'm gIven the problem:
Write a script that creates a user-defined role named VendorMaintenance in the AP database. Give update permissions to that role on the Vendors table and Select permission on the Invoice and InvoiceLineItems table. Assign the VendorMaintenance role to dbMaster.
I've looked through my textbook and came up with this incorrect solution.
USE AP
GO
CREATE SERVER ROLE VendorMaintenance
GO
GRANT UPDATE
ON Vendors
TO VendorMaintenance
GO
GRANT SELECT
ON Invoices
TO VendorMaintenance
GO
GRANT SELECT
ON InvoiceLineItems
TO VendorMaintenance
GO
ALTER SERVER ROLE VendorMaintenance ADD MEMBER dbMaster
GO
It says that VendorMaintenance isn't a user, and its not. but I need to grant these permissions to the role and then assign users to that role. Also is there a better way to write this?
For a user-defined database role, the syntax is as below. The role will be created in the current database context.
USE AP;
GO
CREATE ROLE VendorMaintenance;
GO
CREATE SERVER ROLE creates a user-defined server role, which is used to grant server-scoped permissions rather than permissions on database-scoped objects.
I have permission to create/drop table but don't have permission to grant table to any role.
So when I create table on server I can't select from it.
Is there anyway to create table and specific grant to any role in one statement?
Grant permission to create tables to a specific user in a specific database not only requires CREATE TABLE permissions but also requires ALTER permissions to the schema.
GRANT ALTER ON Schema :: schema-name TO DATABASENAME
GRANT CREATE TABLE TO DATABASENAME