question post to StackExchange;
Please help my study for Role assignment. ClickHouse is using two methods of Role assignment;
GRANT
SET
eg 1: GRANT admin TO user1
eg 2: SET ROLE admin TO user1
I can't find difference of these two. Please advice if you have any knlowledge of it. Thanks!
It is two different commands:
GRANT assigns a role to user accounts not apply / activate it
SET ROLE activates role to the current user so that role be used
Example (see https://clickhouse.tech/docs/en/sql-reference/statements/create/role/#create-role-examples):
CREATE ROLE accountant;
GRANT SELECT ON db.* TO accountant;
GRANT accountant TO user1;
/* login as user1 */
/* activate the role and use related privileges */
SET ROLE accountant;
SELECT * FROM db.*;
To avoid calling SET ROLE each time after user login it needs to add role to the default list by SET DEFAULT ROLE.
Related
I'm currently trying to grant a couple of simple privileges to an Oracle database user.
I have tried the following queries:
grant all privileges to <username>
grant alter session to <username>
The second privilege is the one I actually need, but I decided simply to try and give the user all privileges to see if that would work. When I check the user's permissions using
select * from user_sys_privs;
everything seems to say NO.
I've even tried to grant the user dba privileges and that still fails. My end goal is to run scripts that require these permissions to be turned on.
Any help is greatly appreciated.
everything seems to say NO
You're looking at the wrong thing. If the user_sys_privs view lists ALTER SESSION:
select * from user_sys_privs where privilege = 'ALTER SESSION';
USERNAME PRIVILEGE ADM COM
-------------------- ------------- --- ---
MY_USER ALTER SESSION NO NO
then the user does have that privilege.
The NO entries don't mean the privilege is not granted. The columns that is showing you are:
desc user_sys_privs
Name Null? Type
----------------------------------------------------------------- -------- --------------------------------------------
USERNAME VARCHAR2(128)
PRIVILEGE VARCHAR2(40)
ADMIN_OPTION VARCHAR2(3)
COMMON VARCHAR2(3)
and they are described in the documentation:
ADMIN_OPTION - Indicates whether the grant was with the ADMIN option (YES) or not (NO)
COMMON - Indicates how the grant was made. Possible values:
YES if the privilege was granted commonly (CONTAINER=ALL was used)
NO if the privilege was granted locally (CONTAINER=ALL was not used)
As you didn't specify the admin option or any other modifiers, it's correct that both of those flags are set to NO.
What's probably confusing you is that all privileges are listed when you query for your user, because you did grant all privileges to <username>. You probably want to revoke all of those privileges, and only grant the specific ones the user actually needs. You'll then see a much shorter list when you query user_sys_privs - possibly only that single entry, depending on what else you need to retain for the user.
You might also want to consider using roles, though you sometimes need to have privileges granted directly anyway - if a stored procedure relies on them.
I am sorry for a newbie question. I am creating a readonly user in oracle. I want to limit him just to view and execute a function or procedure. I dont want him to modify those func or proc. Please help me on how to achieve this.
Thanks a lot
-- As sysdba:
-- 1) create an user account
create user <username> identified by <password>;
-- 2) allow user to log in
grant create session to <username>;
-- 3) allow user to execute a single procedure in other schema
grant execute on <other_schema.procedure_name> to <username>;
From SYSDBA user login (from where you created the user), give the following grant :
GRANT EXECUTE ANY PROCEDURE TO user;
GRANT SELECT ANY TABLE TO user;
where user = the username you just created.
Then ,to ensure the user has only read priviledges, check from session_privs that he doesnot have any other priviledge, specifically any "CREATE" prviledge. To do this , run :
select * from session_privs;
from the user you just created.
why is this showing error..
SQL> create user nisar identified by kk ;
create user nisar identified by kk
*
ERROR at line 1:
ORA-65096: invalid common user or role name
I had used below command. It's very useful. So, I would like to recommend to you.
alter session set "_ORACLE_SCRIPT"=true;
For more information, see:
http://www.dba-oracle.com/t_ora_65096_create_user_12c_without_c_prefix.htm
You're trying to create a common user, not a container user, with an invalid name:
ORA-65096: invalid common user or role name
Cause: An attempt was made to create a common user or role with a name that wass not valid for common users or roles. In addition to the usual rules for user and role names, common user and role names must start with C## or c## and consist only of ASCII characters.
Action: Specify a valid common user or role name.
If you want to create a user in a particular container then you can use the alter session set container first, so your create is applied within that container. If you really do want a common user, follow the naming rules above.
Read more in the documentation.
I'm trying to solve a stored procedure in oracle based on this statement...
Access control on oracle database where
a) Each user is allowed to access the system within certain time limit of a day. For example, user1 is allowed to access the system from 8 am to 4 pm, while user2 is allowed to access the system from 3 pm to 11 pm.
b) For every user, accounts will be locked upon three logon failures.
c) For every user, idle session will be terminated after 10 minutes.
d) Highly privileged users are allowed to have a maximum of two concurrent sessions at one time, while other users are allowed to have one concurrent session only.
I manage to answer b,c,d question using profile. Then I alter the user to the profile. The stored procedure keep give me compilation error. THANKS IN ADVANCE
Here are my work
create role roleUser;
grant create session to roleUser;
grant select on staff_data to roleUser;
create user user1 identified by abc123;
create user user2 identified by abc123;
--common user privilege
create profile userProfile limit
FAILED_LOGIN_ATTEMPTS 3
IDLE_TIME 10
SESSIONS_PER_USER 1
--high user privilege
create profile userHighProfile limit
FAILED_LOGIN_ATTEMPTS 3
IDLE_TIME 10
SESSIONS_PER_USER 2
alter user user1 profile userProfile;
alter user user2 profile userHighProfile;
grant roleUser to user1,user2;
show error;
create or replace trigger limit_logon
after logon on database
begin
if to_char(sysdate,'HH24') between 8 and 16 then
set roleUser to user1;
elsif to_char(sysdate,'HH24') between 15 and 23 then
set roleUser to user2;
else
revoke roleUser from user1;
revoke roleUser from user2;
end if;
end;
I would imagine that you'd have a table containing ranges of times in which a user is allowed to login, and when a user logs in your logon trigger would check the current time against the range(s) for the user. Create a procedure or function to encapsulate the logic, and let it raise an error if the user is not allowed to logon at that time.
Of course this doesn't log the user out at the end of the window.
I have a feeling that what you also need here is a DBMS_Scheduler job that runs periodically to check that all sessions' users are allowed to be logged in at that time, so that users' sessions can be killed if they stay logged in past their window.
set roleUser to user1; must be execute immediate 'grant roleUser to user1';
revoke roleUser from user1; must be execute immediate 'revoke roleUser from user1';
However, it will not work as desired because GRANT/REVOKE ROLE is executed after logon, thus it does not affect the current session, the user first would have to logoff and logon again.
Instead of grant and revoke a role, you can enable and disable granted roles, this take affect immediatly, see SET ROLE.
Anyway, for your purpose the simplest solution should be this one:
create or replace trigger limit_logon
after logon on database
begin
if USER = 'USER1' AND to_char(sysdate,'HH24') NOT between 8 and 16 then
RAISE_APPLICATION_ERROR (-20001, 'Logon allowed only from 8 to 16');
END IF;
if USER = 'USER2' AND to_char(sysdate,'HH24') NOT between 15 and 23 then
RAISE_APPLICATION_ERROR (-20001, 'Logon allowed only from 15 to 23');
END IF;
end;
You could use Oracle Virtual Private Database hooked up to the Axiomatics Data Access Filter (disclaimer - I work for Axiomatics). In the Data Access Filter, you can define access control policies that are time-based and also include other parameters such as user or data attributes.
That's the cleanest and most sustainable way.
Consider the case : In a database , I have two users A and B and their corresponding schema.
I want to know , How can I get the information : what permissions are there for USER A in Schema B .
Consider the case : We have two users and their associated scehmas. We have user A and user B. In A, say we have TB1 TB2, in B,say we have TBa, TBb. Now I want to know how can I find what privileges User A has on Schema B.
For example : User A is writing : select * from B.TBb This means USER A is accessing User B's table so , it shows he has SELECT Privilege. I want to know what all privileges User A has on Schema B.
Which query shall be executed to get the list of privileges that User A has on Schema B.
You can use these queries:
select * from all_tab_privs;
select * from dba_sys_privs;
select * from dba_role_privs;
Each of these tables have a grantee column, you can filter on that in the where criteria:
where grantee = 'A'
To query privileges on objects (e.g. tables) in other schema I propose first of all all_tab_privs, it also has a table_schema column.
If you are logged in with the same user whose privileges you want to query, you can use user_tab_privs, user_sys_privs, user_role_privs. They can be queried by a normal non-dba user.
Use example with from the post of Szilágyi Donát.
I use two querys, one to know what roles I have, excluding connect grant:
SELECT * FROM USER_ROLE_PRIVS WHERE GRANTED_ROLE != 'CONNECT'; -- Roles of the actual Oracle Schema
Know I like to find what privileges/roles my schema/user have; examples of my roles ROLE_VIEW_PAYMENTS & ROLE_OPS_CUSTOMERS. But to find the tables/objecst of an specific role I used:
SELECT * FROM ALL_TAB_PRIVS WHERE GRANTEE='ROLE_OPS_CUSTOMERS'; -- Objects granted at role.
The owner schema for this example could be PRD_CUSTOMERS_OWNER (or the role/schema inself).
Regards.
Login into the database. then run the below query
select * from dba_role_privs where grantee = 'SCHEMA_NAME';
All the role granted to the schema will be listed.
Thanks Szilagyi Donat for the answer. This one is taken from same and just where clause added.