My question is kind of straightforward and so should be the answer.
Talking about ORACLE databases in SQL Developer, we can create connections to users' schemes.
The connection needs to specify the username and the password, and that allows to access the schema of that user. Below the connection, I usually see all the elements of the schema shown within folders like Tables, Views, Indexes, Packages and so on.
But then I also see the folder Other Users just next to those from above. This folder contains a list of other usernames (different from the one you are currently connecting to). Exploring each of these, you see in turn a schema (like a set of elements as from above).
What is this design about? Are they different users sharing the same schema (tables, views, packages, indexes etc..) but with different grants? When we do that?
Your connection details determines which SCHEMA you will be browsing when you expand the connection tree.
The other users node allows you to browse additional schemas. Your connection user's privileges will determine what you can or can't see in other schemas.
A database object is owned by a single user, or exists in a single schema (which is really the collection of objects owned by a user.) There are no shared objects.
Related
We are a team of tens of data analysts. Our main data back-end is an Oracle database. We use personal schemas to do work where we don't need to collaborate with others and we would like to create schemas dedicated to projects where people need to collaborate.
The problem is that in Oracle, one schema is equivalent to one DB user. If we create a schema dedicated to a project, for the purpose of creating DB objects in the context of that project, there will be a single set of credentials (username + password) that needs to be shared by all team members. This has two inconveniences:
if people mistype the credentials, they can block the account for everyone;
it is no longer possible to monitor who did what for security/audit reasons, since everyone uses the same schema;
An alternative would be that only one person uses the Schema user to create objects and assigns privileges to other people in those objects, but that can become quickly cumbersome.
Another alternative is to interact with the DB through R or Python but that means the credentials will be stored in some text file, which is bad for security.
As we see it, the ideal situation is if multiple personal DB users can create objects in the same schema, and if those objects are automatically available for that set of DB users. Is this totally impossible in Oracle? Is this impossible in any major DB? Is this requirement somehow flawed and as such, there is a good reason for why it is not available?
We could compare this collaboration in a DB schema to what commonly happens with people collaborating in a folder, using R, Python or other programming language for data analytics.
Thank you for your advise!
Maybe I miss something but could you not just create a schema that will be used for all users and grant the required privileges to each individual user?
Each user authenticates with his local account and by default uses his local schema and to access the public one you just use the ALTER SESSION SET CURRENT_SCHEMA command.
I have created multiple Databases in Clickhouse and a new User, and now can I restrict that newly created user to be able to access a particular database.
In users.xml in 'user' (near profile, quota...) you could specify optional section
<allow_databases>
<database>default</database>
<database>test</database>
</allow_databases>
If there is no 'allow_databases' section - it means that access to all databases is allowed.
Access to database 'system' is always allowed (because system database is used to process queries).
User could list all databases and tables (using SHOW queries or system tables), even if there is no access.
Database access limits are completely unrelated to 'readonly' settings. There is no possibility to provide full access to one database and readonly access to another.
An application needs to access various Oracle database. Some databases have tables in Schemas, some don't - there's no control over this.
If a database has a schema in use, the applicable won't work unless the user enters a schema. I'd like it to be able determine via a SQL query if a schema is required to access the tables so the user can be alerted to this.
I'm aware of the question - How do I obtain a list of schemas that an Oracle user has access to - but that only tells me what schema's can be accessed, not if use of the schema is required to access tables.
Is there an SQL query to one of the system tables that can do this with that user's rights?
Note: The application only has login credentials and doesn't know any table details.
Hope that's clear. Thanks.
Question is confusing. For most part in Oracle, you can consider LOGIN == USER == SCHEMA. When you login into your database with your user, you are able to see and access all objects in that user's schema.
Objects in other schemas (on same database server) can be accesed by SCHEMA2.TABLE1 if connected user has privileges to acces table (there are different privileges...). As already stated in some comments, you do not need to prefix table if synonym exists. Your user can access even tables on some remote server if exists appropriate database link.
We are using a SaaS provider at my company, who also offers direct read-only access to their back end Oracle database.
Our Oracle user does not own any of the tables, therefore the tables we want to read belong to other users. So the tables must be addressed as follows: OwnerUser.table1, OwnerUser.table2, etc.
When setting up a data source in LightSwitch, no tables are visible, because the Entity Data Model is mapping to tables owned by our user (the one which we connect with).
Does anyone know if I can tweak the data source somewhere to inject the owner prefix (e.g. OwnerUser) so that the LightSwitch Designer will show the tables owned by OwnerUser?
You might find that in this case it might be easier to create a custom RIA Service layer for the datasource that passes the user information and sets up the tables.
Why does a user needs privileges over his own schema to create packages and triggers?
Are you asking why users need particular priviliges (i.e. CREATE TABLE, CREATE PROCEDURE, etc) in order to create particular types of objects in their own schema?
If so, the natural answer would be that good security begins with the principle of least privilege-- that is, a user should only have those privileges that they truly need to do their job and no more. DBAs frequently want to create read-only accounts for users in the production database (business analysts, for example, often need to do different sorts of ad hoc reporting, developers may need access to troubleshoot certain types of problems, etc). If a user were always able to create objects in their own schema, those read-only users would suddenly be able to deploy code to the production database without going through change control or even necessarily testing anything. And that generally leads to a proliferation in code doing basically the same thing (i.e. a dozen analysts each have a procedure to calculate sales tax in their own schemas) but each of which has its own unique signature, logic, requirements, assumptions, etc. And heaven forbid that one of those analysts get fired because the DBA would naturally delete their account, only to find out that some crucial report depended on code that existed only in that analyst's schema.
I can't give you the "official" answer, but I can take a stab at the reasoning behind how it works. On the project I work on, Oracle Developers are the ones that deploy the triggers and packages into the database schema. But we have other teams of Java developers and testers, etc. Once the schema are migrated into the Test and then Production environments, we don't want the testers or the end user applications to be able to arbitrarily modify the triggers and packages associated with that schema, as that could invalidate the integrity of any testing they are doing (or cause even worse issues on the production system).
So within the test/production environments, you want the testers, the Java developers, and the end-user application to be able to read and write data to the schema, but not modify the triggers and packages which encompass the baselined code.
Why does a user needs privileges over
his own schema to create packages and
triggers
They do not.
Their own schema implies the ownership (or namespace) defined by username.object
All a user needs to create a trigger in their own schema is:
a table in their own schema
the create trigger privilege
All a user needs to create a package in their own schema is:
the create package privilege
If the user wants to create objects in another schema or that references other objects, or that requires storage in a tablespace then they will need permissions on those foreign objects.