Grant Access on View
Hi,
I would like to know the appropriate and easy way of granting access (SELECT,INSERT,UPDATE..Etc) on newly created object (VIEWS/SYNONYMS) to all users at one go.
I have created a public synonym so that I can grant the access on synonym.
Appreciate any suggestions.
Thanks
You will need a script or package to do this.
e.g something like :-
spool grant_select_to_all.sql
select 'grant select on '||object_name||' to select_role;'
from user_objects where object_type in('VIEW','TABLE');
spool off;
@grant_select_to_all.sql
Similar Messages
-
How to grant access to view linked in another DB
Hello,
I have two DBs. "DatabaseA" and "DatabaseB". I have table "tableA" in databaseA and I have created view in "ViewB" which contains simple SQL query "select * from DatabaseA.dbo.tableA".
Rigth now I want to get user access to view "viewB" without possibility to see original databaseA tableARigth now I want to get user access to view "viewB" without possibility to see original databaseA tableA
If you really have to stick to views, one option is to enable
database-ownership-chains between those 2 databases.
Be careful to only enable those 2 databases via
ALTER DATABASE [DB1]
SET DB_CHAINING ON
ALTER DATABASE [DB2]
SET DB_CHAINING ON
Then they have to be owned by the same Server Principal/Login (preferably
not a sysadmin, but that's yet another discussion)
You can read more about such ownership-chains here:
http://technet.microsoft.com/en-us/library/ms188676%28v=sql.105%29.aspx
You then have to be very careful with ALL Objects in Database 1 and 2 - because the chain will work for all of them - as long as they share a common owner. You would have to make sure that only that table (schema) is owned by the same owner.
And if DDL-permissions come into play, this becomes almost impossible to secure..
So If you do not fully understand the risks involved by this, I would advise against such a setup and refer to other options.
One better option even with Views:
Even with views you can select from a function. And functions can be signed with a certificate.
So a much more secure option is to go for Certificate Mapped Logins, working for only specific objects that you sign.
http://msdn.microsoft.com/en-us/library/ms173463.aspx
I can't find a complete article on that this moment, but I'm sure you can find it.
Andreas Wolter
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master SQL Data Platform, SQL Server 2012
Blog: www.insidesql.org/blogs/andreaswolter
Web: www.andreas-wolter.com |
www.SarpedonQualityLab.com -
Grant access to all the views created in user schema to another schema
How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
Oracle Grant Privileges
===============
Object privileges assign the right to perform a particular operation on a specific object
I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
Is this right
Oracle System Privileges
===============
System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
Role based security
============
Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
[http://www.dba-oracle.com/art_builder_grant_sec.htm]
can we grant select update to all the views at a time to the other schema.
Are there any other ways to secure the data other than creating users and assigning roles.
Thank you
Edited by: Trooper on Dec 23, 2008 9:24 AMI think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
Example using SQL to generate SQL
How do I find out which users have the rights, or privileges, to access a given object ?
http://www.jlcomp.demon.co.uk/faq/privileges.html
HTH -- Mark D Powell -- -
With out loosing view grant access, i can modify the existing vi
I am using oracle 11g.
I would like to add few more where condition in my oracle view ,Which has grant permission by different user.
There is anyway with out loosing view grant access, i can modify the existing view.
Existing view
create view abc
as
select * from tab1
where rownum =1 .
Grant select on abc to read_ro;
Modifying view
There is anyway with out loosing view grant access, i can modify the existing view?
add few more where condition in my oracle view ,Which has grant permission by different user
please advise.create or replace view...
SQL> create or replace view y as select object_name from user_objects;
View created.
SQL> grant select on y to ads;
Grant succeeded.
SQL> select * from user_tab_privs where table_name='Y';
GRANTEE OWNER
TABLE_NAME GRANTOR
PRIVILEGE GRA HIE
ADS BONTRAB1
Y BONTRAB1
SELECT NO NO
SQL> create or replace view y as select object_name,created from user_objects;
View created.
SQL> select * from user_tab_privs where table_name='Y';
GRANTEE OWNER
TABLE_NAME GRANTOR
PRIVILEGE GRA HIE
ADS BONTRAB1
Y BONTRAB1
SELECT NO NO
SQL> desc y
Name Null? Type
OBJECT_NAME VARCHAR2(128)
CREATED DATE -
Access to view blocking sessions in sql server 2008
Hi,
One of my client wrote a stored procedure. we scheduled this SP in a job. while job is running, it is blocking other sessions. It is happening frequently. So, client is asking me to grant permission to view blocking session( want to execute sp_who2). Could
you please advise me, which permission I need to give. I don't like to give access other than sp_who2. Please advise.
Thanks.
Raja.
Thanks, RajaYou need VIEW SERVER STATE permissions for sp_who or sp_who2 to work. You can also use sys.dm_exec_requests which will also give blocking information and requires the same permissions.
Else you can take a look at the other alternative which is sp_whoisactive - check this link -
http://sqlblog.com/blogs/adam_machanic/archive/2012/03/22/released-who-is-active-v11-11.aspx
Regards, Ashwin Menon My Blog - http:\\sqllearnings.com -
How to grant access to sharepoint for the user from different Domain
Hi All
I need to grant access to user from different domain.
Where I can able to view the users in people picker (different domain).
Thanks in Advance.
RajHi
Trevor Seward
Sorry to disturb
you again.
I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
of them works. Below are the commands I have tried
STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
we have two way trust.
Can you suggest any solution.
Thanks
Raj -
Grant access to users from different Domains
Hi,
Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
Please suggest how we can resolve audience targeting issue?
Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Should we use triggers to deny alter access to views?
hello all - the requirement is let a group access all the views in the schema but not be able to alter, delete views or stored procedures or functions. what is the best way to do this? thanks in advance...
It is three step process
--Step 1 Create database role
CREATE
ROLE [view_access]
GO
--Step2 Write a store procedure to grant all the views to that role, in this example I gave for Stored Procedure
--You can change appropriately
USE
[master]
GO
CREATE
PROCEDURE [dbo].[sp_GrantAllviews]
@user sysname,
@DB varchar(30)
AS
SET
NOCOUNT ON
-- 1 - Variable declarations
DECLARE
@CMD1 varchar(8000)
DECLARE
@MAXOID int
DECLARE
@OwnerName varchar(128)
DECLARE
@ObjectName varchar(128)
-- 2 - Create temporary table
CREATE
TABLE #StoredProcedures
(OID
int IDENTITY (1,1),
StoredProcOwner
varchar(128)
NOT NULL,
StoredProcName
varchar(128)
NOT NULL)
SET
@CMD1 =
'SELECT ROUTINE_SCHEMA, ROUTINE_NAME FROM [' +
@DB +
'].INFORMATION_SCHEMA.ROUTINES WHERE NOT(ISNULL(ROUTINE_TYPE,'''') = ''FUNCTION'' AND ISNULL(DATA_TYPE,'''') = ''TABLE'') AND ROUTINE_NAME NOT LIKE ''dt_%'''
INSERT
INTO #StoredProcedures
(StoredProcOwner,
StoredProcName)
EXEC(@CMD1)
-- 4 - Capture the @MAXOID value
SELECT
@MAXOID =
MAX(OID)
FROM #StoredProcedures
-- 5 - WHILE loop
WHILE
@MAXOID > 0
BEGIN
-- 6 - Initialize the variables
SELECT
@OwnerName =
StoredProcOwner,
@ObjectName
= StoredProcName
FROM
#StoredProcedures
WHERE
OID =
@MAXOID AND StoredProcName
not like
'sp_%' AND StoredProcName
not like
'xp_%'
-- 7 - Build the string
SELECT @CMD1
= 'USE ['
+ @DB +
'];GRANT EXEC ON ' +
'[' +
@OwnerName + ']'
+ '.'
+ '[' +
@ObjectName +
']' +
' TO ' + @user
SELECT @CMD1
-- 8 - Execute the string
SELECT @CMD1
EXEC(@CMD1)
-- 9 - Decrement @MAXOID
SET
@MAXOID =
@MAXOID - 1
END
-- 10 - Drop the temporary table
DROP
TABLE #StoredProcedures
SET
NOCOUNT OFF
GO
--Step 3 Assign the user to this role. -
Grant access to terminated employee's mailbox
How can I easily grant access to a terminated employee's mailbox including deleted items? If I have the terminated employee's mailbox on litigation hold the deleted items are in the recovery folder, but can the recovery folder only be viewed through
e-discovery process?
Thanks!Hi Viper,
Thank you for your question.
We could run the following command to grant full access permission on terminated user:
Add-MailboxPermission –Identity <terminated user> -User <your name> -AccessRights FullAccess –InheritanceType all
If I have the terminated employee's mailbox on litigation hold the deleted items are in the recovery folder, but can the recovery folder only be viewed through e-discovery process?
A: Yes, we could be granted only viewer to the specific user, we could refer to the following link:
https://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx
Authorized users can perform an In-Place eDiscovery search by selecting the mailboxes, and then specifying search
criteria such as keywords, start and end dates, sender and recipient addresses, and message types. After the search is complete, authorized users can then select one of the following actions:
Estimate search results This option returns an estimate
of the total size and number of items that will be returned by the search based on the criteria you specified.
Preview search results This option provides a preview
of the results. Messages returned from each mailbox searched are displayed.
Copy search results This option lets you copy messages
to a discovery mailbox.
Export search results After search results are copied
to a discovery mailbox, you can export them to a PST file.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Grant access based on application type?
Hi,
Is there a way to grant access to just some of the application types attached to a DIR? I would like to limit the users to open the CAD files but they should be able to open the PDF files attached. The idea is to create the PDF file automatically out of the CAD file so I canu2019t put them in different DIRs because that would involve manual work.
Kind regards,
Kristoffer PehrsonHi Kristoffer,
from my point of view maybe the authorization trace could help to find a suitable authorization object for creating your checks. More information on this authorization trace could be found under http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationTraceintransactionST01
Useful information on each DMS authorization object can be found under http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationObjectsin+DMS.
If no standard authorization object could be useful maybe you can use a BADI like DOCUMENT_AUTH01 or DOCUMENT_MAIN01 to implement an individual check for the application type and so restrict some users to view special applications.
Best regards,
Christoph -
hi
i have an user with objects, tables, views and procedures but it doesn't´t have dba privileges... how can i grant access to all the user to these objects? (with the sys or system user).
thanks for your help.
alexHello,
Every user in database has its objects and DBA privileges are not for everyone.
how can i grant access to all the user to these objects? (with the sys or system user)<<<<<<Can explain these lines ?? What's your requirment ?? Please state clearly...
As far as i got your problem, you require that all other users of databse should be able to access the objects of user (lets say A) which you specified in first line.
For this purpose create public synonyms for all objects of user A and grant. So, everyone can use the objects of "A's" schema.
Please update..... if you got the point or not... -
My java application is delopyed on neo.ondemand.com and use the hana database on cloud also, we use eclipselink
the jpa persistence configuration:
<property name="eclipselink.target-database" value="com.sap.persistence.platform.database.HDBPlatform"/>
here i do not specify any user or password to access the database, i think hana JDBC somehow hide the user information when java application and hana database both are on the cloud.
for the tables created by JPA itself, access if fine.
now i have created a view via Hana studio, though database tunnel using account dXXXXXXsapdev
i have an JPA entity, and i am trying to access the view from java application, it reports error:
Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.2.v20111125-r10461): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: com.sap.db.jdbc.exceptions.JDBCDriverException: SAP DBTech JDBC: [258]: insufficient privilege:
I do not know which database user is used by JPA to access the view, how can i grant the database rights on the view so that "native java application on cloud" can
access the database schema (or view created though database tunnel )
any comment is welcomed.Hi,
Please post this issue under SAP HANA Cloud Platform space. The platform experts should be able to help with that.
Regards,
Ifat. -
Wwsbr_api.add_folder and grant access/
I created a folder with the API
wwsbr_api.add_folder, which worked fine.
Now i want to grant VIEW access to a specific user for that folder, using an API. I used:
wwsec_api.set_user_acl
(p_person_id=>v_personid
,p_object_type_name=>'FOLDER'
,p_name => 'STOREMANAGER2'
,p_privilege=>'VIEW'
But it didn't help. The user can still not see this folder? Any suggestions?
Thanks,
Anja
nullJerry,
sorry for replying so late, but i can read my email only at the hotel in the evening.
Thanks for the script, but it didn't help.
Here is more information:
Running
Declare
c Varchar2(100);
Begin
c := wwsec_api.get_granted_user_privilege
p_user_id =>10,
p_object_type_name=>'FOLDER',
p_name=>'2227'
dbms_output.put_line(c);
End;
for my specific user, it returns VIEW:
SQL> @getgranteduserpriv.sql
VIEW
PL/SQL procedure successfully completed.
However, if i navigate through the UI with
another user that has admin privileges:
- i click Edit Folder
- Administration
- Folder (Edit Content Area)
- Access tab
Here i don't see my user "10" in the ACCESS list.
I do see another user "7" which has VIEW privileges. That's what the UI shows.
However, if i run wwsec_api.get_granted_user_privilege for user "7" i don't get anything back.
Am i using the right API?
Is wwsec_api.set_user_acl
matching the UI's GRANT ACCESS/CHANGE ACCESS interface?
Thanks for you help,
Anja
null -
Timecard Approval + Grant Access
Hello all,
We have an OTL implementation with supervisor approval setup. We have an issue with the following scenario:
1. Employee (A) submits time card
2. Supervisor (B) is unavailable to act on it (sick, unplanned absense etc..)
3. Supervisor has given access to his/her supervisor (C) (worklist)
4. C is unavailable too, again, unplanned
5. C has setup worklist access to his/her supervisor (D)
Our need is to allow D to act on A's time card without every supervisor providing a grant access to every one above then in the chain of command. Is there any solution/workaround in OTL/Workflow to provide access in a hierarchical manner in such scenarios?
Thanks in advance,
VijayI think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
Example using SQL to generate SQL
How do I find out which users have the rights, or privileges, to access a given object ?
http://www.jlcomp.demon.co.uk/faq/privileges.html
HTH -- Mark D Powell -- -
Sql server grants access to specific login to database.
i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help meI think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
to perform the tasks needed.
The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
question on this topic I will be glad to assist.
I hope this information helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights.
Maybe you are looking for
-
What is the difference in Interactive reports and Drill down reports?
What is the difference in Interactive reports and Drill down reports? Are they same?
-
I want to hook up an outdoor powered speaker to an airport express. How do I do this? Which airport express thingee do I need? I want to plug in the airport express thingee inside and connect to speakers outside. Is there a length limit to the mi
-
AQ Adapter with message selector rule
Hi, I'm doing a B2B11g implementation on AS2. Incoming messages are processed using the AQ adapter. Now I have several (about 8) AQ-adapter implementations on the IP_IN_QUEUE that select messages using a message-selector-rule based on the DocumentTyp
-
CPU MULTIPIER WILL NOT CHANGE ON K7N2-L
Hi all, I am having problem on changing the cpu multipier on the bios setup. I have tried to lower it, but the Mhz remains the same after the change. I have the lastest bios and I just don't know why. I thought the mobo was able to unlock the cpu
-
Import failure between Powerpoint 10 and Captivate 1.01.1451
Hello from France, I use File > Import > PPT slides in Captivate 1.01 Then in the "WHERE?" box, I choose the place in the cp file where to import the PPT slides Then I click OK and the box closes. Then I see that a box appears very very shortly, whos