I want to grant users a permission to save their own queries.
Granted "All" to Discover and Dashboard.
For now users see "save query" as "read-only". I've tried and turning on/off "Advanced Settings", "Saved Objects Management" - nothing works. Is there a way to turn this feature on easily without installing OSQuery ? (installed on another cluster, setting it to "All" did a thing)
For now Management in user settings looks like this. Should I change to "All" some of those?
Using ElasticSearch 7.13.1
In order to allow users to save their own queries in Elasticsearch, you will need to grant them the "save" and "save_object" cluster privileges. You can do this by navigating to the "Cluster Privileges" section in the Elasticsearch Management interface, and editing the relevant user or role to include those privileges.
You may need to set the "All" permissions in the Discover and Dashboard, and also check if the user has the save and save_object index privilege on the index they are trying to save queries on.
Additionally, you should check if the user has the manage_saved_objects role. If the user does not have this role, you can assign it to them in the "Roles" section of the Elasticsearch Management interface.
Also, you can check the index-level permissions in index management, if the user has the necessary permissions to create, update and delete saved objects in the index.
Related
I have a database and want to give out roles and privileges.
My aim is to allow multiple users - all have the same privileges - to be able to create, edit and view the tables (That's it).
I understand there are user table privileges that allow a user to Create, alter, drop and delete items in tables. But I also understand that there is a
resource user pre-defined role that allows a user to do the same thing.
Would I offer both of the roles? The table-level privileges and predefined roles? What would happen if I do offer both? Can I?
That is more a database administration question, as you have users that develop their own tables. And the heart of your question, "one size fits all prepacked" role RESOURCE or better a bespoke solution for your set of users is really one of administrative style, taste, and your special case.
Personally, I don't like the role RESOURCE as it lacks the privilege CREATE VIEW.
Please note that the privilege CREATE TABLE (granted directly or via a role) allows the user to create tables in his/her own schema. To create tables in other schemas (or "all the tables on the database"), you need the privilege CREATE ANY TABLE. See documentation for details.
I have a workspace created, in APEX and has a user associated with it (say, USER). I also have an ADMIN user. I want the USER to be able to just select the data from the schema tables and not update/delete tables or create a package etc. How can I achieve this?
I logged in as ADMIN and was tweaking some settings of the workspace. I saw an option called SQL Workshop. Enabling or disabling it doesn't serve my purpose. I want the user to be able to write queries (only select) but he must not be able to update the data or create packages or stuff like that.
There isn't a way to accomplish this within the same workspace. Anyone who can develop or administer a workspace can parse SQL as any database user (schema) mapped to that workspace. You could achieve this using another workspace and normal database object privileges.
Create a second workspace, which USER can login to.
Selectively grant object privileges from objects owned by the database user of the
first workspace to the database user of the second workspace. E.g.,
GRANT READ ON dbuser1.table TO dbuser2;
Taking a course on Oracle database security, I have learned profiles are being created to restrict access of some users to some resources.On the other hand, we have functions and policies, which can restrict users too, but I cannot clear the difference between these two. Why we use profiles while we can create policies for users?
A Profile restricts how much system resource a user is allowed: how many concurrent sessions they can have, how much CPU they can use, etc. We can also use Profiles for password management: how many failed logins they're allowed, how long a password lasts, etc.
So a Profile defines the broad bounds of system usage. It governs hardware and database access.
By "policy" I assume you mean Fine-Grained Access Control. These policies set limits to what a user can see of an individual table: what rows they can see and what columns. So we could.use FGAC policy to allow a manager to see all the details for their direct reports but only certain information for all other employees.
So a Policy applies further restrictions to a table which a user already has access to. Which highlights the missing P from your question.
A Privilege grants a user permission to do a specific thing. By default a user cannot do anything in a database. They can't even connect to it without the CREATE SESSION privilege. There are two levels of Privilege. A System Privilege allows a user to do general activities like create a table, execute any procedure, query the data dictionary, etc. A Table Privilege allows a user to do something with a specific object owned by a different user, such as select from my.employee_table, execute her.string_function, etc.
So you can see how Privileges and FGAC Policies interact. I might grant you select and update on my.employee_table but enforce a policy that only allows you to update records for department 40.
To summarise. There are four levels of user restrictions.
In descending order of breadth:
Profile
System Privilege
Table (i.e. Object) Privilege
FGAC Policy
Note: 12c introduced some called an Audit Policy. Clearly that is relevant to the general topic of Oracle database security but I don't think it's pertinent here.
I have created multiple Databases in Clickhouse and a new User, and now can I restrict that newly created user to be able to access a particular database.
In users.xml in 'user' (near profile, quota...) you could specify optional section
<allow_databases>
<database>default</database>
<database>test</database>
</allow_databases>
If there is no 'allow_databases' section - it means that access to all databases is allowed.
Access to database 'system' is always allowed (because system database is used to process queries).
User could list all databases and tables (using SHOW queries or system tables), even if there is no access.
Database access limits are completely unrelated to 'readonly' settings. There is no possibility to provide full access to one database and readonly access to another.
I would like to create a role connected as SYSTEM. But because I have a lot of schemas with a lot of roles and all of them will be created this way, I don't want the created roles to be granted to SYSTEM (otherwise it eventually will exceed the 148-roles limit).
=> Is that possible to disable the automatic grant on the creator?
NB: for now I work on Oracle 9i but it will soon be upgraded to 11g
There are 2 parts to my answer:
Roles in Oracle are a bit like keys on your keyring: just because they're on the keyring doesn't mean your using them all the time. Oracle has the concept of default roles: these roles are activated automatically when the session is created. The other roles can be enabled later if the user so desires.
The 148 role limit applies to active roles, see for example this documentation link for oracle 10g: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6012.htm#sthref7227
To disable roles from being default, use ALTER USER ... DEFAULT ROLE ..., see http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4003.htm#sthref5717
Don't create any objects, even roles, when connected as SYSTEM. Instead you should be using an ordinary user to create a role and adding objects to it that is appropriate for that user's schema's objects. You will need to grant the CREATE ROLE system privilege to those users that need to own objects and have roles for them, but that's all part of the Oracle security model.
The maximum number of user-defined roles that can be enabled for a
single user at one time is 148.
You can pretty much create as many roles as you like - just don't enable them all at once.
When you create a role (other than a user role), it is granted to you
implicitly and added as a default role. You receive an error at login
if you have more than MAX_ENABLED_ROLES. You can avoid this error by
altering the user's default roles to be less than MAX_ENABLED_ROLES.
Thus, you should change the DEFAULT ROLE settings of SYS and SYSTEM
before creating user roles.
http://docs.oracle.com/cd/B10500_01/server.920/a96521/privs.htm#15539
e.g.
ALTER USER SYSTEM DEFAULT ROLE DBA