Can you let me know the script in oracle to change the common column in USER_ROLES_PRIVS table. Currently it is set to No but i need to change it to yes, Any help will be appreciated.
Why do you think that you need to change it to "yes"?
If you planned to mess up with Oracle data dictionary, don't do that.
Documentation (12c; that value doesn't exist in lower versions) says that common
Indicates how the grant was made. Possible values:
YES if the role was granted commonly (CONTAINER=ALL was used)
NO if the role was granted locally (CONTAINER=ALL was not used)
Now that you know it, use container=all while granting the role.
Related
I'm the QuickBase Admin for my QuickBase app. In the app, there's a dashboard report that's used by individuals with viewer access; that way, they can see their students' data, but can't edit the app, tables, structures, etc.
My app's users want to be able to edit one field with notes on that row's data (each row is a student's data, so they'd want to use that field to add notes on that individual), but viewers don't have editing/data entry access tn any column. Is there a way for users to have editing/data entry access to one field, but not the others?
I know with Tableau and other BI software, this isn't possible, but I wanted to ask since my users asked.
Thank you for reading.
Sure you can.
Actually there are more ways to implement this needs.
My opinion better if you create a new table and make a relationship between the student data and a (new) Notes table and you will be able to setup edit rights eg by record owner.
An other way, you can allow the edit right for your users and you can make a restriction on field level. In this case you have to go through on each field and at the Advanced section you will find Permission - Restrict access by role.
Hopefully you do not have a lot of fields :)
The scenario : an Oracle 11g database containing some sensitive user data that could result legal liabilities if disclosed to the wrong party.
The desired effect : only a certain user, connecting from a certain IP, can see the column that contains this sensitive user data
I am not sure that hidden columns or virtual columns are the right ways to do this. It seems that Fine-Grained Access Control could help. I am not sure of what is the best solution. The restriction by IP is probably done at the listener level?
The question :
How can we restrict the visibility of a column so it is only available only to a specific user? All the other users would never see the column, not even when doing a "DESC TABLE_WITH_SENSITIVE_DATA"
Thanks for any tips.
Simplest way to do this is to create a view on the table that does not contain all of the columns. Don't grant select on the table, but only on the view.
The "proper" way to do this is with Fine-Grained Access Control (Virtual Private Database), which can replace the contents of columns with a NULL if certain conditions are not met.
See the example here: http://docs.oracle.com/cd/B28359_01/network.111/b28531/vpd.htm#autoId17
You can probably build this sort of functionality yourself if you're feeling both impoverished and skilled.
Do you the ability to modify roles and create views? Perhaps you could create two separate views and grant access to two different roles for that table. All users that are restricted from seeing the sensitive data would belong to a "restricted" role and the others would have access to the "unrestricted" role. You would need to grant privileges on each view to the appropriate role.
It is important to note that there are restrictions on updating the underlying data associated with a view. As explained here, views that contain set operators, aggregates and GROUP BY DISTINCT and joins and not modifiable.
I'm making an ASP.Net MVC 3 application in VS 2010. I have a task to create a settings page which would make the columns from the tables in my database with specific permissions (read, read/write etc.).
It's the first time I have a task of this kind and I have no idea on how to make this.
I tried going right click on the project in VS and then go to Settings. There was a link which says that my project didn't have a settings page, so I clicked it to create one. There appeared a table with settings but there are just public/internal access modifiers. I can't seem to find write/read.
Is this the right way of creating a settings page? Or is there another?
I'm sorry Andrew. I answered your question in quite a rush previously. So, I think my answer became quite unclear. I'm so sorry. I will try my best to answer this more clearly. My answer can be quite long and I hope you are patient enough to finish reading this. :-)
Actually, your problem can be solved in very easy way. Believe me! You actually don't need a Setting page for this.
I suppose you will have a Users table in your database, for storing user accounts for your system. Right! And again, I suppose that Users table will have at least these following fields.
UserID [ This must be the primary key for the table. Right! ]
UserName
Password
Email [ This is kind of optional. ]
I only suppose your database has this kind of schema. Or else, there must be other ways to set the permissions for your users in the table.
Alright, create another table called Permissions in your database. That Permissions table will handle the permission rights for your users in the above Users table. Ok! Then, you have two tables. One is your original Users table and another is Permissions table.
Ok! Our new Permissions table will have at least following fields:
ID [ This is the primary key for this table. ]
UserID [ This will come as foreign key from your previous Users table. ]
PermissionRead [ this field will hold boolean data type, or bit data type. True or False for Boolean and 0 or 1 for bit. This is entirely depends on the type of DBMS you use. ]
PermissionWrite [ again, same as PermissionRead. ]
Alright, now you have two tables. These Permission read and write fields are for holding the permission rights for your users.
If you have the exact db schema as I described above, then you will have the following kind of relationship like this:
Users table
UserID | UserName | PW
U-001 | Tim | timpassword
U-002 | Jim | jimpassword
Permissions table
ID | UserID | PermissionRead | PermissionWrite
1 | U-001 | True | False
2 | U-002 | True | True
So, you can see that, User Tim which is UserID U-001 has Read-only permission and User Jim who is U-002 has both read-write permissions.
So, you can check the condition of these fields when a particular user login to the system. If he or she has PermissionRead value True and PermissionWrite value false, then that user has read-only permission right. Or else, if both values are true then that user has read-write permission. Ok!
I tried my best to explain this, and I really do hope you can understand my answer. I really do...!!!
My suggestion is that, you should try this method first. And, if you are alright with this, I can explain more how to set group level permissions from this method. Ok! 'Cause my answer became quite long, and I fear you become bored reading this... ;-)
You don't actually need a setting page for tasks like this. Easiest way to give permissions to the users in ASP.Net is that, you need to create a table in your database. Let's just call it Permissions. Then create these fields in that table:
PermissionID (datatype something you want)
UserID (this must be the foreign key from your Users table)
Read (boolean or bit type)
Write (the same as Read)
Both (the same as Read)
You have a table which is linked to your user table. You can set permissions for the users in the Users table in this Permission table, by setting these boolean (true or false), or bit (0 or 1).
Then, when your user login to the system, you can check these "read", "write" and "both" values from that Permission table, and allow that particular user based on these true or false values.
For instance, if a particular has only Read value true and the other values false, then you can tell that, that user has "read-only" permission.
That's the basic idea for creating user permissions with databases. O'course, you can do some advanced features from database tools. But, I think this is the simplest way to do so. And you can add many permission types you want in that table.
You can even create groups with this method. Like, giving permissions to a particular group will give permission all users belong to that group.
Wish you good luck...!!!
What is the purpose of this table? From it's name, could we assume that it lists all rights assigned to each user?
If we need to know what right are assigned to which user, should we look only this table? Or there is another table to read?
What is the purpose of this table?
It contains the list of rights of users and roles.
Or there is another table to read?
Yes. You also need to know what roles are assigned to a user: INFORMATION_SCHEMA.ROLES
I am trying to identify incoming user into Oracle in order to give them access right according to their identity (FGAC). Users are located in different domain's. which means that they might have identical system username (windows userename).
I have been trying to use the Environment context variable sys_context('userenv', 'var') where I get the Domain name (f.ex. SYS_CONTEXT('USERENV','HOST') and SYS_CONTEXT('USERENV','OS_USER')) but I seem to get different result's depending on the connection method.
Are there any other means of getting users true identity I can explore?
I'm not sure which variable you should use but you may want to look at select * from v$session to help you pick one.
If you're basing FGAC on OS_USER environment variable, you're truly not securing the data. OS_USER isn't a credential passed to Oracle, it's just a string that can be manipulated by an attacker.