Grant table permissions

Similar Messages

• Per-service SID's are not being granted correct permissions

  Hi,
  I had posted this here :
  https://connect.microsoft.com/SQLServer/feedback/details/770984/per-service-sid-s-are-not-being-granted-correct-permissions, but no response as yet.
  When installing SQL 2012 (on a VMWare VM), based on the following article :
  http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110), I have noticed that the SQL per service SIDs are not being granted the correct permissions. From the initial install, the following is what was observed (the red x's being permissions that
  should have been granted but were not).
  When re-installing and changing from specifying a domain account, to the default values, during set-up, the 4 service SIDs that were not added to 'Log on as a Service' initially were then correctly granted permission, but the other 4 in 'Bypass traverse
  checking', 'Adjust Memory Quotas for a process' and 'Impersonate a Client after authentication' were still not added.
  When running a repair on this install, 'NT Service\MSSQLFDLauncher' was then granted the correct permissions, but 'NT SERVICE\MsDtsServer110' was still missing 'Bypass traverse checking' and 'Impersonate a Client after authentication'.
  This also resulted in the installation of Reporting Services - Native failing in the original installation with 'Attempted to perform an unauthorized operation'.
  If anyone has recently installed SQL 2012, can you check (via gpedit.msc) that the correct 'User Right Assignment' was granted to the per Service SIDs as per
  http://msdn.microsoft.com/en-us/library/ms143504(v=sql.110) ?

  Have you resolved this yet?  Group policy for the OU with my desktop removes all SQL per-service rights.  If group policy is your issue, I'd be interested in how some are retained.  
  Randy in Marin

• Fastest way to grant cube permissions per AMO (250 roles, 30 cubes)?

  Hi there,
  can anybody tell me the fastest way to grant cube permissions in a scenario, where for example 250 roles have to be granted for 30 cubes?
  Now, I do it with AMO, iterating throgh the roles, setting cube permissions.
  My method for granting access looks like this:
  public void GrantCubePermission(Role pRole, Database pDatabase, string pCubeName, ReadAccess pReadAccess, WriteAccess pWriteAccess, ReadSourceDataAccess pReadSourceDataAccess, bool pProcess, ReadDefinitionAccess pReadDefinitionAccess)
  try
  if (pRole == null) return;
  Cube cube = pDatabase.Cubes.FindByName(pCubeName);
  if (cube == null) return;
  CubePermission cubePermission = cube.CubePermissions.FindByRole(pRole.ID);
  if (cubePermission == null)
  cubePermission = cube.CubePermissions.Add(pRole.ID);
  cubePermission.Read = pReadAccess;
  cubePermission.Write = pWriteAccess;
  cubePermission.ReadSourceData = pReadSourceDataAccess;
  cubePermission.Process = pProcess;
  cubePermission.ReadDefinition = pReadDefinitionAccess;
  cubePermission.Update(UpdateOptions.AlterDependents, UpdateMode.UpdateOrCreate);
  catch (Exception ex)
  Msg(ex.ToString(), "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
  Doing it this way, the operation tooks about 4 seconds per role (the given method is executed 30 times per role, the number of the cubes to be granted for).
  Finally, for 250 roles, the operation tooks about 16 minutes.
  Is there a way to do it faster?

  Did you consider XMLA ?
  <
  Createxmlns="http://schemas.microsoft.com/analysisservices/2003/engine">
      <
  ParentObject>
          <
  DatabaseID>DAtabasename</DatabaseID>
      </
  ParentObject>
      <
  ObjectDefinition>
          <
  Rolexmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:ddl2="http://schemas.microsoft.com/analysisservices/2003/engine/2"xmlns:ddl2_2="http://schemas.microsoft.com/analysisservices/2003/engine/2/2"xmlns:ddl100_100="http://schemas.microsoft.com/analysisservices/2008/engine/100/100"xmlns:ddl200="http://schemas.microsoft.com/analysisservices/2010/engine/200"xmlns:ddl200_200="http://schemas.microsoft.com/analysisservices/2010/engine/200/200"xmlns:ddl300="http://schemas.microsoft.com/analysisservices/2011/engine/300"xmlns:ddl300_300="http://schemas.microsoft.com/analysisservices/2011/engine/300/300"xmlns:ddl400="http://schemas.microsoft.com/analysisservices/2012/engine/400"xmlns:ddl400_400="http://schemas.microsoft.com/analysisservices/2012/engine/400/400">
              <
  ID>Role</ID>
              <
  Name>ReadRole</Name>
              <
  Members>
                  <
  Member>
                      <
  Name>domain\user</Name>
                  </
  Member>
                  <
  Member>
              </
  Members>
          </
  Role>
      </
  ObjectDefinition>
  </
  Create>

• Granting different permissions to different codebases : policy file problem

  Hi all. I'm having a bit of a problem with policy files and granting different persmissions to different codebases. What I have at the moment is a server app that copies a class file from the client to a specified directory on the server, and then dynamically loads and runs that class. This all works fine, but obviously as user submitted code is going to be run on the server I want to restrict what they are allowed to do. My app is going to be bundled up in a single jar file, and the directory that the client code is being copied to a subdirectory of the app installtion (not that this should make much difference). What i want to do is grant all permissions to my code in the jar file and resrict the permssions granted to code in the strategies directory. I assumed i would just be able to do this using my own policy file, but at the moment i'm not having much luck.
  Directory structure:
  c:/project/code/
  |
  |-labyrinth.jar
  |-strategies/
  Contents of labyrinth.policy:
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Command line arguments:
  java -Djava.security.manager -Djava.security.policy==./labyrinth.policy -classpath .;./labyrinth.jar;./strategies/;%CLASSPATH%; labyrinth.LabyrinthServer
  I've tried specifiying the absolute path to the jar file in the policy file as well as the relative path, i've tried including -Xbootclasspath/a and appending the jar file. All I seem to be able to manage though is either granting all permissions system wide, including the strategies dir, or none and getting security exceptions within my code. Anyone tried doing anything similair or got any idea where I might be going wrong? Any help would be appreciated as its really starting to doing my head in.
  TIA. Matt.

  Did you try putting a slash at the beginning of your "file" specification? e.g., instead of saying
  grant codeBase "file:../code/labyrinth.jar" {
  permission java.security.AllPermission;
  say
  grant codeBase "file:/../code/labyrinth.jar" {
  permission java.security.AllPermission;
  Hope this helps.

• Public grants and permissions

  Hi,
  could any one please answer to these queries.
  1.)what is the difference between normal grants and permissions & public grants and permissions?
  2.)what is the sql to find out public permissions/grants in database

  Hi,
  could any one please answer to these queries.
  1.)what is the difference between normal grants and
  permissions & public grants and permissions?
  You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
  A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
  2.)what is the sql to find out public
  permissions/grants in databaseQuery the DBA_xxx_PRIVS views
  DBA_AQ_AGENT_PRIVS
  DBA_COL_PRIVS
  DBA_ROLE_PRIVS
  DBA_SYS_PRIVS
  DBA_TAB_PRIVS
  E.g
  SQL> select * from dba_tab_privs where grantee ='PUBLIC';

• Grants and Permissions

  Need to find out how to implement grants and permissions for a Page. Which module/responsibility/navigation path we have to select to set this

  Hi,
  could any one please answer to these queries.
  1.)what is the difference between normal grants and
  permissions & public grants and permissions?
  You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
  A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
  2.)what is the sql to find out public
  permissions/grants in databaseQuery the DBA_xxx_PRIVS views
  DBA_AQ_AGENT_PRIVS
  DBA_COL_PRIVS
  DBA_ROLE_PRIVS
  DBA_SYS_PRIVS
  DBA_TAB_PRIVS
  E.g
  SQL> select * from dba_tab_privs where grantee ='PUBLIC';

• Granting of permissions

  Okay, here is what I am trying to achieve (from my last thread):
  I work at a K-12 school. I have a superintendent that wants to have a folder that only himself and the administrator can have access to. This part seems to be easy. Just do some arranging of folders that are used by other lower-level admins and grant them permissions on the folder that would contain said folders.
  The second part is trickier. I want the admin secretary, bookkeeper, and assistant admin to have the power to add and delete names into the NDS. The only way they can currently enter names is if they have admin powers. I want to remove those powers but still allow them to have the ability to add/remove names from NDS.
  My question is this. Is there a step-by-step ( or can one be provided in this thread) of how to create the permissions necessary for Console One 1.3.6.h or even iManager 2.7x and where to apply said permissions that allows me to grant the power to add/delete an user from NDS.
  Thanks,
  Kevin

  Originally Posted by dgersic
  On Thu, 09 Jun 2011 18:36:02 +0000, wheatonr3 wrote:
  > Okay, that made sense. Now, my next question has to do with those
  > trustee rights after I created the Organizational Container. There are
  > a lot of things on the trustee list when you click on the "Add Property"
  > button. Which properties/rights do I need to assign an user to add and
  > delete users, change accounts from locked to active (and vice-versa),
  > and change passwords when needed.
  Creating objects requires Create rights at the container.
  Deleting objects requires Delete rights.
  By "locked" I'm assuming you mean "disabled". They'll need rights to the
  Login Disabled attribute.
  For password changes, they'll need rights to the "Password Management"
  attribute.
  David Gersic dgersic_@_niu.edu
  Novell Knowledge Partner http://forums.novell.com
  Please post questions in the newsgroups. No support provided via email.
  Okay. This then has no bearings on permissions into folders and whatnot so if I assign some folders with administrator permissions only, then those I assign the permissions you stated cannot get into that folder unless they themselves are administrators.

• Security Role Won't Grant Table Access

  When I log into the my production server there only two tables (dbperties & Trans) showing under tables when the  Dbase is selected.  I checked the server roles and I only have “Public” access. I can see the views that have been
  created. I have been added to the Group membership and added to one of our vendor groups but  I still can't see the additional tables. 
  However, when I log into the Development site it’s showing all the iMIS tables and I have both “Public” & “SysAdmin” roles.
  Should I be added to the
  “SysAdmin” role as well?
  Thanks in advance.
  DJ

  Hi,
  According to your description, as Erland’s post, if you are a member of Active Directory groups with administrative privileges , it means that you have full permissions on the Windows-level objects, such as the rights to read/write folders, but it does not
  mean that your account is administrator in SQL Server except for creating a login name with this account and granting to sysadmin role.
  Usually, the members of sysadmin role have administrative privileges on all server databases and resources, and can perform any activity in SQL Server. Generally, DBA is granted the sysadmin permission. If you need to perform any activity in SQL Server,
  your account should be added to the sysadmin role. You can right-click sysadmin in Object Explorer/Security/Server Roles in SQL Server Management Studio (SSMS) ,then add your account. Please note that only a sysadmin member has  rights to grant users
  different permissions in SQL Server.
  Public role is a special database role that exists in every user database, and by default, every database user is automatically assigned to this built-in role. If you just need to access and modify all the objects of a database , it’s not necessary to being
  a sysadmin member in SQL Server , you can add your account to the db_owner database role.
  For more information, please review the following this article: Server and Database Roles in SQL Server.
  Thanks
  Lydia Zhang

• Granting item permissions to specific group or users via workflow- sharepoint online

  I want to create a Document Set and upon doing that i want to grants users/ groups item level permissions to the document set.
  Can this be done via workflow?
  What are my options?

  If workflow starts on document set, you will change permission on the document set: if the files inherit permission from document set, all children files will have the same document set permission.
  the document set is nothing more than a souped-up folder
  Regards,
  Bubu
  http://zsvipullo.blogspot.it
  Please mark my answer if it helped you, I would greatly appreciate it.

• Granting table privileges on another users tables

  Can anyone tell me what privilege needs to be granted to a user to be able to grant insert/update/select/delete/execute on another users tables/packages?
  I had thought that 'grant any privilege' was the one to have... and - the user I am trying to use to grant the privileges on the other users schema has this however - I'm still getting : ORA-01031: insufficient privileges when trying to run the grants.
  Any ideas what I'm doing wrong here?

  Ok... well...
  The 'with grant' option doesn't appear to be the issue.
  The user attempting to perform the grants:
  i.e. GRANT SELECT ON user_2.table_1 TO view_role
  has the 'grant any object privilege' and - that seems to be enough. When I run the statement above as a simply as typed - it works fine.
  However - what I'm actually doing is concatenating that together in a string and running (from a package created by/as user_1) and doing an execute immediate...
  i.e.
  l_sql := 'GRANT ' || l_rec.privilege || ' ON ' || l_rec.owner || '.' || l_rec.table_name || ' TO ' || p_role;
  EXECUTE IMMEDIATE l_sql;
  And - it's this that's giving me the insufficient privileges...
  I do not have invokers rights set on the package - so that shouldn't be an issue. And - I can't find any documented restriction on doing this (and - in fact - it works fine if I create the package as user_2 and run it as user_2 - the owner of the objects).
  I'm at a loss.

• Grant tables/views to other user

  i have 3 user (a,b,c)
  i want to grant select previlege of all the tables/views of user a,b to c
  please help me out which one is the shortest method to doing this

  sukhijank wrote:
  grant select any table to a,b,c;
  select 'grant select on '|| OWNER || '.' ||view_name || ' to ' || '<USERNAME>;' from dba_views;
  This is considered lazy and bad practice. A better practice would be to create a role, make individual grants on the tables and views owned by a and b to the role and then grant the role to c.
  This is assuming c will be just querying the objects and not referencing the objects in its own objects (ie views packages etc). If this is the case then direct grants from a and b to c are needed. Once again, you should only grant the minimum necessary and resist the temptation to do a quick fix and grant system privs to ordinary users.
  Andre

• Grant table create for only temporary tables

  I looking for a way to allow user to create only temporary tables. The user does not need to create or drop any public tables.

  Hi,
  >>This is really a bad suggestion. The user1 can now only select his own tables, no insert or update. It can not be allowed in the "real world".
  The OP said "I looking for a way to allow user to create only temporary tables"
  I think that you didn't understand what I showed ...
  SYSTEM@test> create user user1 identified by user1 default tablespace USERS quota 0 on USERS;
  User created.
  SYSTEM@test> create user user2 identified by user2 default tablespace USERS quota unlimited on USERS;
  User created.
  SYSTEM@test> grant create session,create table, create synonym to user1,user2;
  Grant succeeded.
  SYSTEM@test> connect user2/user2@teste
  Connected.
  USER2@test> create table x (id number);
  Table created.
  USER2@test> insert into x values (1);
  1 row created.
  USER2@test> grant select,delete,insert,update on x to user1;
  Grant succeeded.
  USER2@test> connect user1/user1@teste
  Connected.
  USER1@test> create synonym x for user2.x;
  Synonym created.
  USER1@test> insert into x values (2);
  1 row created.
  USER1@test> select * from x;
          ID
           1
           2
  USER1@test> create table y (id number);
  create table y (id number)
  ERROR at line 1:
  ORA-01536: space quota exceeded for tablespace 'USERS'
  USER1@teste> create table user2.y (id number);
  create table user2.y (id number)
  ERROR at line 1:
  ORA-01031: insufficient privileges
  USER1@test> drop table user2.x;
  drop table user2.x
  ERROR at line 1:
  ORA-01031: insufficient privileges
  USER1@test> create global temporary table y (id number) on commit preserve rows;
  Table created.
  USER1@test> insert into y values (1);
  1 row created.
  USER1@test> select * from y;
          ID
           1
  USER1@test>Cheers

• Grant read permissions for one new user in db2

  Hello,
  we wish to have one new user in database which only can read in all tables. For the moment i´ve no idea to create this. The command "grant select ...." is not possible for a single user and all tables.
  Regards
  Olaf

  we can   grant select permission for all table through below steps
  1. Run this command on command promt
  db2  "  select ' grant select on table ' ,  tabname, ' to user  username ' from syscat.tables" > filename
  2. Run the above file
  db2 " db2  -vtf filename"
  Thanks & Regards
  BALAJI
  tcs

• Grant Table

  Can I grant to a user selected fields/columns of a table, rather than a complete table. I would like to apply this feature to select,insert,update
  Thanks

  To do exactly what you want you should create a VIEW, and grant privileges on that view to the user.
  Look at
  http://download-west.oracle.com/docs/cd/B13789_01/server.101/b10759/statements_9013.htm#sthref6511
  There you can see :
  column
  Specify the table or view column on which privileges are to be granted. You can specify columns only when granting the INSERT, REFERENCES, or UPDATE privilege. If you do not list columns, then the grantee has the specified privilege on all columns in the table or view.

• User granted wrong permissions

  Problem: User has ability to access share points she does not have rights to, permission wise. This is a bad thing.
  User is a member of Workgroup, and no other groups.
  Financial share point settings:
  Human Resources share point settings:
  What the user sees:
  How do I make this stop?
  Things I've tried - re-applying permissions, rebooting, deleting account, re-adding.
  site note/partial solution - that account was a network account. Re-creating the account as a local user gave the correct permissions.
  Why?

  If this was the case, why wouldn't other users in the same workgroup be able to see the shares?
  This problem is limited to one person out of 15.