Can I use CREATE SCHEMA AUTHORIZATION for something other than the current user's schema?
I can do the following:
CREATE USER MAIN_USER
IDENTIFIED BY main_user_pass;
GRANT CREATE SESSION TO MAIN_USER;
GRANT CREATE TABLE TO MAIN_USER;
ALTER SESSION SET CURRENT_SCHEMA = MAIN_USER;
Query 1:
SELECT USER FROM DUAL;
Result 1:
SYS
Query 2:
SELECT sys_context( 'userenv', 'current_schema') FROM dual;
Result 2:
MAIN_USER
I can do this:
CREATE SCHEMA AUTHORIZATION SYS
CREATE TABLE new_product
(color VARCHAR2(10) PRIMARY KEY);
Result:
Schema AUTHORIZATION created.
But when I try to do this, an error appears:
CREATE SCHEMA AUTHORIZATION MAIN_USER
CREATE TABLE new_product
(color VARCHAR2(10) PRIMARY KEY);
Result:
ORA-02421: missing or invalid schema authorization identifier
02421. 00000 - "missing or invalid schema authorization identifier"
*Cause: the schema name is missing or is incorrect in an authorization
clause of a create schema statement.
*Action: If the name is present, it must be the same as the current
schema.
The error message is pretty clear: you can't do that. From the documentation:
The schema name must be the same as your Oracle Database username.
Setting current_schema only changes the default schema name prepended to an object reference in a SQL command that isn't fully qualified, so after setting it to MAIN_USER, this command:
select * table table_a;
would be interpreted as
select * from main_user.table_a;
instead of
select * from sys.table_a;
Setting current_schema doesn't actually change your logged in identity or affect your privileges in any way, and if sys can't execute a command like that against another schema then nobody can do it.
Can I use CREATE SCHEMA AUTHORIZATION for something other than the current user's schema?
No, you can't. The documentation says:
Use the CREATE SCHEMA statement to create multiple tables and views and perform multiple grants in your own schema in a single transaction.
This statement lets you populate your schema ...
Specify the name of the schema. The schema name must be the same as your Oracle Database username.
You have to be connected as the schema owner, so user returns MAIN_USER. Just changing your current schema with ALTER SESSION SET CURRENT_SCHEMA is not sufficient.
It also says:
To issue a CREATE SCHEMA statement, you must have the privileges necessary to issue the included statements.
and you have granted CREATE TABLE so that should work once you connect as that user. But it means you can't rely on the privileged SYS user's CREATE ANY privs to bypass the schema grants, which might have been an advantage had it been allowed to work as you hoped; if you want your user to end up without those privileges you'll have to grant them, run CREATE SCHEMA as that user, then revoke them again. Or go back to individual CREATE object statements, which you can run for another user as SYS - but without the all-or-nothing single-transaction benefit you get from CREATE SCHEMA.
Related
I want to create a view from another view that I have select statement privilege. However, I can't and I am getting this error. Do you know why? Do I need other type of Select privilege?
SET CURRENT SCHEMA = SCHEMA1;
CREATE VIEW NEWSCHEMA.MYVIEW AS SELECT * FROM DB1.SCHEMA1.VIEW1
WITH NO ROW MOVEMENT;
SET CURRENT SCHEMA = NEWSCHEMA;
COMMIT;
full error msg:
Category Line Position Timestamp Duration Message Error 3 0 01/27/2023
11:24:05 AM 0:00:00.007 - DB2 Database Error: ERROR [42501]
[IBM][DB2/AIX64] SQL0551N The statement failed because the
authorization ID does not have the required authorization or privilege
to perform the operation. Authorization ID: "NEWSCHEMA". Operation:
"SELECT". Object: "SCHEMA1.VIEW1".
SELECT GRANTEE, GRANTEETYPE, CONTROLAUTH, SELECTAUTH FROM SYSCAT.TABAUTH WHERE (TABSCHEMA, TABNAME) = ('SCHEMA1', 'VIEW1') AND GRANTEETYPE IN ('U', 'R')
Result:
The reason is highly like because of the following CREATE VIEW authorization requirement:
Authorization
The privileges held by the authorization ID of the
statement must include at least one of the following authorities:
IMPLICIT_SCHEMA authority on the database, if the implicit or explicit schema name of the view does not exist
CREATEIN privilege on the schema, if the schema name of the view refers to an existing schema
SCHEMAADM authority on the schema, if the schema name of the view refers to an existing schema
DBADM authority
and at least one of the following authorities for each table, view, or
nickname identified in any fullselect:
CONTROL privilege on that table, view, or nickname
SELECT privilege on that table, view, or nickname
SELECTIN privilege on the schema containing the table, view, or nickname
DATAACCESS authority on the schema containing the table, view, or nickname
DATAACCESS authority
...
Group privileges are not considered for any table or view specified in the CREATE VIEW statement.
So, you may really have an ability to SELECT from this view, but you probably have it via some group membership, but not personally or via some role.
This is the reason you get this error.
You may ask your SECADM or view owner grant your authorization id a SELECT privilege to resolve the problem.
When collaborating with colleagues I need to change the schema name every time I receive a SQL script (Postgres).
I am only an ordinary user of a corporate database (no permissions to change anything). Also, we are not allowed to create tables in PUBLIC schema. However, we can use (read-only) all the tables from BASE schema.
It is cumbersome for the team of users, where everybody is creating SQL scripts (mostly only for creating tables), which need to be shared amongst others. Every user has its own schema.
Is it possible to change the script below, where I will share the script to another user without the need for the other user to find/replace the schema, in this case, user1?
DROP TABLE IF EXISTS user1.table1;
CREATE TABLE user1.table1 AS
SELECT * FROM base.table1;
You can set the default schema at the start of the script (similar to what pg_dump generates):
set search_path = user1;
DROP TABLE IF EXISTS table1;
CREATE TABLE table1 AS
SELECT * FROM base.table1;
Because the search path was change to contain user1 as the first schema, tables will be searched in that schema when dropping and creating. And because the search path does not include any other schema, no other schema will be consulted.
If you
However the default search_path is "$user", public which means that any unqualified table will be searched or created in a schema with the same name as the current user.
Caution
Note that a DROP TABLE will drop the table in the first schema found in that case. So if table1 doesn't exist in the user's schema, but in the public schema, it would be dropped from the public schema. So for your use-case setting the path to exactly one schema might be more secure.
I am working around a workaround to a "feature" in IBM DB2.
This fancy database has a "feature" in it which if I try to use a CREATE TABLE statement and it doesn't find the schema, it will create this schema for me, even if I don't want it to. This bug has caused me a lot of hours in debugging, because my code right now exists with the expectation that it won't create the schema if it doesn't exist
My question is -- how do I change the permissions of a particular schema (or even during the create schema phase) which a particular user does not have access to view?
I checked out this doc..
It seems with GRANT, there are the following three permissions:
ALTERIN
Grants the privilege to alter or comment on all objects in the
schema. The owner of an explicitly created schema automatically
receives ALTERIN privilege.
CREATEIN
Grants the privilege to create
objects in the schema. Other authorities or privileges required to
create the object (such as CREATETAB) are still required. The owner of
an explicitly created schema automatically receives CREATEIN
privilege. An implicitly created schema has CREATEIN privilege
automatically granted to PUBLIC.
DROPIN
Grants the privilege to drop
all objects in the schema. The owner of an explicitly created schema
automatically receives DROPIN privilege
With only ALTERIN, CREATEIN, and DROPIN, I don't see anything relevant to view access permissions :/
EDIT:
I checked out our Dash DB database for this particular table which has these special permissions for particular users using the following SQL:
SELECT * FROM SYSIBMADM.PRIVILEGES WHERE OBJECTSCHEMA = 'FAKE_SCRATCH';
This is the result:
EDIT 2:
I tried the following to emulate Dash DB's permissions for that user for that schema:
GRANT ALTERIN, CREATEIN, DROPIN ON SCHEMA FAKE_SCRATCH TO USER TEST_USER;
Still doesn't work :/
The following SQL query executed in DB2 fixed the problem:
REVOKE IMPLICIT_SCHEMA ON DATABASE FROM PUBLIC
I am trying to get schema name in sybase database.
First I have create login(user1) from sa user and than i have connect with user1 by giving login name(user1) and password now i have tried to create table by giving following command:-
create table user1.table1(
emp_id int not null,
name varchar(80) not null
)
but it was showing access denied error than i have logged-in from sa user and grant sa_role to user1 and then again i have run above mention query for create table and table were created successfully.
here I am not exactly getting that user1 is schema name or not or how can I identified schema name?
I want to also know that is there any role except sa_role for grant create insert delete table ,views and all other objects of sybase database.
Sybase ASE does not use the schema concept that SQL Server and Oracle use. Objects are located inside a database, and owned by a user - no other logical separations are there. So your syntax is wrong.
create table table1
(
emp_id int not null,
name varchar(80) not null
)
Sybase ASE Create Table
Additionally, Sybase/SAP best practices tells us all database objects should be created/owned by dbo with permissions granted to groups/roles/users to access those objects. Users who own database objects can not be removed, so if User1 gets fired, you will have to identify all the objects he owns, and change the ownership of those objects before his account can be deleted.
So for your example, the dbo user (typically sa) would create the objects, then GRANT permissions (INSERT/UPDATE/DELETE/etc) to the groups/roles/users who need access.
More information on managing user permissions can be found in the Sybase ASE System Administrators Guide Vol 1.
And more information about Roles/Groups from the System Admin Guide.
I have a schema called application. Is there a way that, rather than using the syntax
SELECT * FROM application.table
I can set the default schema so that I can just use
SELECT * FROM table
It would be the same idea as a using statement I suppose.
The default schema for all sql server users is "dbo", You can alter the default schema for a user by using commands ALTER USER
ALTER USER UserName WITH DEFAULT_SCHEMA = application;
It will be great to have a use statement for schemas.
You can vote the feature suggestion on Microsoft connect.