Grant Access on View

Hi,
I would like to know the appropriate and easy way of granting access (SELECT,INSERT,UPDATE..Etc) on newly created object (VIEWS/SYNONYMS) to all users at one go.
I have created a public synonym so that I can grant the access on synonym.
Appreciate any suggestions.
Thanks

You will need a script or package to do this.
e.g something like :-
spool grant_select_to_all.sql
select 'grant select on '||object_name||' to select_role;'
from user_objects where object_type in('VIEW','TABLE');
spool off;
@grant_select_to_all.sql

Similar Messages

  • How to grant access to view linked in another DB

    Hello,
    I have two DBs. "DatabaseA" and "DatabaseB". I have table "tableA" in databaseA and I have created view in "ViewB" which contains simple SQL query "select * from DatabaseA.dbo.tableA".
    Rigth now I want to get user access to view "viewB" without possibility to see original databaseA tableA

    Rigth now I want to get user access to view "viewB" without possibility to see original databaseA tableA
    If you really have to stick to views, one option is to enable
    database-ownership-chains between those 2 databases.
    Be careful to only enable those 2 databases via
    ALTER DATABASE [DB1]
    SET DB_CHAINING ON
    ALTER DATABASE [DB2]
    SET DB_CHAINING ON
    Then they have to be owned by the same Server Principal/Login (preferably
    not a sysadmin, but that's yet another discussion)
    You can read more about such ownership-chains here:
    http://technet.microsoft.com/en-us/library/ms188676%28v=sql.105%29.aspx
    You then have to be very careful with ALL Objects in Database 1 and 2 - because the chain will work for all of them - as long as they share a common owner. You would have to make sure that only that table (schema) is owned by the same owner.
    And if DDL-permissions come into play, this becomes almost impossible to secure..
    So If you do not fully understand the risks involved by this, I would advise against such a setup and refer to other options.
    One better option even with Views:
    Even with views you can select from a function. And functions can be signed with a certificate.
    So a much more secure option is to go for Certificate Mapped Logins, working for only specific objects that you sign.
    http://msdn.microsoft.com/en-us/library/ms173463.aspx
    I can't find a complete article on that this moment, but I'm sure you can find it.
    Andreas Wolter
    Microsoft Certified Master SQL Server 2008
    Microsoft Certified Solutions Master SQL Data Platform, SQL Server 2012
    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com |
    www.SarpedonQualityLab.com

  • Grant access to all the views created in user schema to another schema

    How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
    Oracle Grant Privileges
    ===============
    Object privileges assign the right to perform a particular operation on a specific object
    I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
    Is this right
    Oracle System Privileges
    ===============
    System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
    Role based security
    ============
    Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
    [http://www.dba-oracle.com/art_builder_grant_sec.htm]
    can we grant select update to all the views at a time to the other schema.
    Are there any other ways to secure the data other than creating users and assigning roles.
    Thank you
    Edited by: Trooper on Dec 23, 2008 9:24 AM

    I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
    If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
    To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
    Example using SQL to generate SQL
    How do I find out which users have the rights, or privileges, to access a given object ?
    http://www.jlcomp.demon.co.uk/faq/privileges.html
    HTH -- Mark D Powell --

  • With out loosing view grant access, i can modify the existing vi

    I am using oracle 11g.
    I would like to add few more where condition in my oracle view ,Which has grant permission by different user.
    There is anyway with out loosing view grant access, i can modify the existing view.
    Existing view
    create view abc
    as
    select * from tab1
    where rownum =1 .
    Grant select on abc to read_ro;
    Modifying view
    There is anyway with out loosing view grant access, i can modify the existing view?
    add few more where condition in my oracle view ,Which has grant permission by different user
    please advise.

    create or replace view...
    SQL>  create or replace view y as select object_name from user_objects;
    View created.
    SQL> grant select on y to ads;
    Grant succeeded.
    SQL> select * from user_tab_privs where table_name='Y';
    GRANTEE                        OWNER
    TABLE_NAME                     GRANTOR
    PRIVILEGE                                GRA HIE
    ADS                            BONTRAB1
    Y                              BONTRAB1
    SELECT                                   NO  NO
    SQL> create or replace view y as select object_name,created from user_objects;
    View created.
    SQL>  select * from user_tab_privs where table_name='Y';
    GRANTEE                        OWNER
    TABLE_NAME                     GRANTOR
    PRIVILEGE                                GRA HIE
    ADS                            BONTRAB1
    Y                              BONTRAB1
    SELECT                                   NO  NO
    SQL> desc y
    Name                                      Null?    Type
    OBJECT_NAME                                        VARCHAR2(128)
    CREATED                                            DATE

  • Access to view blocking sessions in sql server 2008

    Hi,
    One of my client wrote a stored procedure. we scheduled this SP in a job. while job is running, it is blocking other sessions. It is happening frequently. So, client is asking me to grant permission to view blocking session( want to execute sp_who2). Could
    you please advise me, which permission I need to give. I don't like to give access other than sp_who2. Please advise.
    Thanks.
    Raja.
    Thanks, Raja

    You need VIEW SERVER STATE permissions for sp_who or sp_who2 to work. You can also use sys.dm_exec_requests which will also give blocking information and requires the same permissions.
    Else you can take a look at the other alternative which is sp_whoisactive - check this link -
    http://sqlblog.com/blogs/adam_machanic/archive/2012/03/22/released-who-is-active-v11-11.aspx
    Regards, Ashwin Menon My Blog - http:\\sqllearnings.com

  • How to grant access to sharepoint for the user from different Domain

    Hi All
        I need to grant access to user from different domain. 
        Where I can able to view the users in people picker (different domain).
    Thanks in Advance.
    Raj

     Hi
    Trevor Seward
    Sorry to disturb
    you again.
      I am trying to restrict user from search from other domain, say we have domain A and Domain B, where I am trying to restrict all the user from domain B (Search users)for a site collection. I have found couple of stsadmin command to do so. but none
    of them works. Below are the commands I have tried
    STSADM.exe -o setproperty -pn peoplepicker-searchadforests -pv "domain:<Name>.domain" -url "http://Site URL"
    stsadm -o setproperty -pn peoplepicker-searchadcustomquery -pv “(canonicalName=<Name>.domain*)” -url "Site URL"
    we have two way trust.
    Can you suggest any solution.
    Thanks 
    Raj

  • Grant access to users from different Domains

    Hi,
    Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
    in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
    The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
    Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
    suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
    Please suggest how we can resolve audience targeting issue?
    Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

    My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
    Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Should we use triggers to deny alter access to views?

    hello all - the requirement is let a group access all the views in the schema but not be able to alter, delete views or stored procedures or functions. what is the best way to do this? thanks in advance...

    It is three step process
    --Step 1 Create database role
    CREATE
    ROLE [view_access]
    GO
    --Step2 Write a store procedure to grant all the views to that role, in this example I gave for Stored Procedure
    --You can change appropriately
    USE
    [master]
    GO
    CREATE
    PROCEDURE [dbo].[sp_GrantAllviews]
    @user sysname,
    @DB varchar(30)
    AS
    SET
    NOCOUNT ON
    -- 1 - Variable declarations
    DECLARE
    @CMD1 varchar(8000)
    DECLARE
    @MAXOID int
    DECLARE
    @OwnerName varchar(128)
    DECLARE
    @ObjectName varchar(128)
    -- 2 - Create temporary table
    CREATE
    TABLE #StoredProcedures
    (OID
    int IDENTITY (1,1),
    StoredProcOwner
    varchar(128)
    NOT NULL,
    StoredProcName
    varchar(128)
    NOT NULL)
    SET
    @CMD1 =
    'SELECT ROUTINE_SCHEMA, ROUTINE_NAME FROM [' +
    @DB +
    '].INFORMATION_SCHEMA.ROUTINES WHERE NOT(ISNULL(ROUTINE_TYPE,'''') = ''FUNCTION'' AND ISNULL(DATA_TYPE,'''') = ''TABLE'') AND ROUTINE_NAME NOT LIKE ''dt_%'''
    INSERT
    INTO #StoredProcedures
    (StoredProcOwner,
    StoredProcName)
    EXEC(@CMD1)
    -- 4 - Capture the @MAXOID value
    SELECT
    @MAXOID =
    MAX(OID)
    FROM #StoredProcedures
    -- 5 - WHILE loop
    WHILE
    @MAXOID > 0
    BEGIN
    -- 6 - Initialize the variables
    SELECT
    @OwnerName =
    StoredProcOwner,
    @ObjectName
    = StoredProcName
    FROM
    #StoredProcedures
    WHERE
    OID =
    @MAXOID AND StoredProcName
    not like
    'sp_%' AND StoredProcName
    not like
    'xp_%'
    -- 7 - Build the string
    SELECT @CMD1
    = 'USE ['
    + @DB +
    '];GRANT EXEC ON ' +
    '[' +
    @OwnerName + ']'
    + '.'
    + '[' +
    @ObjectName +
    ']' +
    ' TO ' + @user
    SELECT @CMD1
    -- 8 - Execute the string
    SELECT @CMD1
    EXEC(@CMD1)
    -- 9 - Decrement @MAXOID
    SET
    @MAXOID =
    @MAXOID - 1
    END
    -- 10 - Drop the temporary table
    DROP
    TABLE #StoredProcedures
    SET
    NOCOUNT OFF
    GO
    --Step 3 Assign the user to this role.

  • Grant access to terminated employee's mailbox

    How can I easily grant access to a terminated employee's mailbox including deleted items? If I have the terminated employee's mailbox on litigation hold the deleted items are in the recovery folder, but can the recovery folder only be viewed through
    e-discovery process?
    Thanks!

    Hi Viper,
    Thank you for your question.
    We could run the following command to grant full access permission on terminated user:
    Add-MailboxPermission –Identity <terminated user> -User <your name> -AccessRights FullAccess –InheritanceType all
    If I have the terminated employee's mailbox on litigation hold the deleted items are in the recovery folder, but can the recovery folder only be viewed through e-discovery process?
    A: Yes, we could be granted only viewer to the specific user, we could refer to the following link:
    https://technet.microsoft.com/en-us/library/dd298021(v=exchg.150).aspx  
    Authorized users can perform an In-Place eDiscovery search by selecting the mailboxes, and then specifying search
    criteria such as keywords, start and end dates, sender and recipient addresses, and message types. After the search is complete, authorized users can then select one of the following actions:
    Estimate search results   This option returns an estimate
    of the total size and number of items that will be returned by the search based on the criteria you specified.
    Preview search results   This option provides a preview
    of the results. Messages returned from each mailbox searched are displayed.
    Copy search results   This option lets you copy messages
    to a discovery mailbox.
    Export search results   After search results are copied
    to a discovery mailbox, you can export them to a PST file.
    If there are any questions regarding this issue, please be free to let me know. 
    Best Regard,
    Jim
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Jim Xu
    TechNet Community Support

  • Grant access based on application type?

    Hi,
    Is there a way to grant access to just some of the application types attached to a DIR? I would like to limit the users to open the CAD files but they should be able to open the PDF files attached. The idea is to create the PDF file automatically out of the CAD file so I canu2019t put them in different DIRs because that would involve manual work.
    Kind regards,
    Kristoffer Pehrson

    Hi Kristoffer,
    from my point of view maybe the authorization trace could help to find a suitable authorization object for creating your checks. More information on this authorization trace could be found under http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationTraceintransactionST01
    Useful information on each DMS authorization object can be found under http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationObjectsin+DMS.
    If no standard authorization object could be useful maybe you can use a BADI like DOCUMENT_AUTH01 or DOCUMENT_MAIN01 to implement an individual check for the application type and so restrict some users to view special applications.
    Best regards,
    Christoph

  • GRANT ACCESS with sys user

    hi
    i have an user with objects, tables, views and procedures but it doesn't´t have dba privileges... how can i grant access to all the user to these objects? (with the sys or system user).
    thanks for your help.
    alex

    Hello,
    Every user in database has its objects and DBA privileges are not for everyone.
    how can i grant access to all the user to these objects? (with the sys or system user)<<<<<<Can explain these lines ?? What's your requirment ?? Please state clearly...
    As far as i got your problem, you require that all other users of databse should be able to access the objects of user (lets say A) which you specified in first line.
    For this purpose create public synonyms for all objects of user A and grant. So, everyone can use the objects of "A's" schema.
    Please update..... if you got the point or not...

  • Access database view from JPA to HANA database, JDBC: [258]: insufficient privilege:

    My java application is delopyed on neo.ondemand.com and use the hana database on cloud also, we use eclipselink
    the jpa persistence configuration:
    <property name="eclipselink.target-database" value="com.sap.persistence.platform.database.HDBPlatform"/>
    here i do not specify any user or password to access the database, i think hana JDBC somehow hide the user information when java application and hana database both are on the cloud.
    for the tables created by JPA itself, access if fine.
    now i have created a view via Hana studio, though database tunnel using account  dXXXXXXsapdev
    i have an JPA entity, and i am trying to access the view from java application, it reports error:
    Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.3.2.v20111125-r10461): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: com.sap.db.jdbc.exceptions.JDBCDriverException: SAP DBTech JDBC: [258]: insufficient privilege:
    I do not know which database user is used by JPA to access the view, how can i grant the database rights on the view so that "native java application on cloud" can
    access the database schema (or view created though database tunnel )
    any comment is welcomed.

    Hi,
    Please post this issue under SAP HANA Cloud Platform space. The platform experts should be able to help with that.
    Regards,
    Ifat.

  • Wwsbr_api.add_folder and grant access/

    I created a folder with the API
    wwsbr_api.add_folder, which worked fine.
    Now i want to grant VIEW access to a specific user for that folder, using an API. I used:
    wwsec_api.set_user_acl
    (p_person_id=>v_personid
    ,p_object_type_name=>'FOLDER'
    ,p_name => 'STOREMANAGER2'
    ,p_privilege=>'VIEW'
    But it didn't help. The user can still not see this folder? Any suggestions?
    Thanks,
    Anja
    null

    Jerry,
    sorry for replying so late, but i can read my email only at the hotel in the evening.
    Thanks for the script, but it didn't help.
    Here is more information:
    Running
    Declare
    c Varchar2(100);
    Begin
    c := wwsec_api.get_granted_user_privilege
    p_user_id =>10,
    p_object_type_name=>'FOLDER',
    p_name=>'2227'
    dbms_output.put_line(c);
    End;
    for my specific user, it returns VIEW:
    SQL> @getgranteduserpriv.sql
    VIEW
    PL/SQL procedure successfully completed.
    However, if i navigate through the UI with
    another user that has admin privileges:
    - i click Edit Folder
    - Administration
    - Folder (Edit Content Area)
    - Access tab
    Here i don't see my user "10" in the ACCESS list.
    I do see another user "7" which has VIEW privileges. That's what the UI shows.
    However, if i run wwsec_api.get_granted_user_privilege for user "7" i don't get anything back.
    Am i using the right API?
    Is wwsec_api.set_user_acl
    matching the UI's GRANT ACCESS/CHANGE ACCESS interface?
    Thanks for you help,
    Anja
    null

  • Timecard Approval + Grant Access

    Hello all,
    We have an OTL implementation with supervisor approval setup. We have an issue with the following scenario:
    1. Employee (A) submits time card
    2. Supervisor (B) is unavailable to act on it (sick, unplanned absense etc..)
    3. Supervisor has given access to his/her supervisor (C) (worklist)
    4. C is unavailable too, again, unplanned
    5. C has setup worklist access to his/her supervisor (D)
    Our need is to allow D to act on A's time card without every supervisor providing a grant access to every one above then in the chain of command. Is there any solution/workaround in OTL/Workflow to provide access in a hierarchical manner in such scenarios?
    Thanks in advance,
    Vijay

    I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
    If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
    To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
    Example using SQL to generate SQL
    How do I find out which users have the rights, or privileges, to access a given object ?
    http://www.jlcomp.demon.co.uk/faq/privileges.html
    HTH -- Mark D Powell --

  • Sql server grants access to specific login to database.

    i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
    to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
    as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
    operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help me

    I think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
    As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
    If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
    Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
    to perform the tasks needed.
    The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
    If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
    question on this topic I will be glad to assist.
    I hope this information helps,
    -Raul Garcia
     SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

Maybe you are looking for