currently I have mariadb user with host like this
'userdb'#'10.148.0.0/255.255.240.0'
and grant like this
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EVENT, TRIGGER ON *.* TO 'userdb'#'10.148.0.0/255.255.240.0' IDENTIFIED BY PASSWORD '*21E60721C392B0B98F8E387DDA480376C04B42B5'
but when from application we got error message like this
TRIGGER command denied to user 'userdb'#'10.148.0.0/255.255.240.0' for table 'tclmuser'
and then i check the definer from trigger is same like user.
so this is issue come from host at user ?
Related
Is it possible to set role with access to one database, with all privileges except to drop tables?
Not really. If a user can issue CREATE TABLE, it can issue a DROP for that table as well. From the docs:
The right to drop an object, or to alter its definition in any way, is not treated as a grantable privilege; it is inherent in the owner, and cannot be granted or revoked.
And as noted by the CREATE TABLE docs:
The table will be owned by the user issuing the command.
There is no mechanism to allow a user to create tables that they do not own and therefore cannot drop.
I need a postgres user who cannot alter tables, views, triggers etc. Only select & insert into tables, so I created new role and granted SELECT, INSERT, USE SCHEMA(something like that), SEQUENCE and even EXECUTE ON ALL FUNCTIONS privileges. But when I run function, I get following error: ERROR: permission denied for relation #table_name.
I am using Microsoft Azure Database for PostgreSQL with PostgreSQL 10 installed. As I'm trying to work on future tables together with other users I want to enable the other users to alter my tables as well.
I've created a role pgpublish and all users are members of the role. For a new table, which I created, I altered the table owner to the role pgpublish. Now everyone with the role pgpublish is able to alter the table:
ALTER TABLE "MYcoolSchema"."CoolNewTable" OWNER TO pgpublish;
To make this more automatic/generic, I created a trigger function and tried to create an event trigger as explained here.
Unfortunately I can't create the event trigger (The trigger function works fine), as it is stated:
ERROR: permission denied to create event trigger
"trg_create_set_owner" HINT: Must be superuser to create an event trigger.
SQL state: 42501
Is there a workaround for creating event triggers on Microsoft Azure Database for PostgreSQL? How can this look like?
I could run a cron job on another system to scan for new tables and alter the owner of these new tables to pgpublish but this is not cool at all.
Is it possible, to configure a Postgres database such, that a specific table may only be updated by a trigger. I have history table, updated by trigger, so I want to prevent this table from un unauthorised access. I want history table to be updated only from trigger.
Sure. Both the history table and the table with the trigger belong to a user that has no login rights. Then you grant privileges on the latter table to the application user.
To prevent unauthorized access to a table you can change the owner of the table to the user who should be accessing with the following query:
alter table yourschema.yourtable owner to youruser;
Now you can disable the trigger for all other users using the query:
alter table yourschema.yourtable disable trigger triggername all;
here all means that the trigger is disabled for all the users. Now only the owner will be able to use the trigger to update the table.
A trigger always fires on the event on it is defined. Thus, if an update trigger is defined for updates, no one can bypass the trigger during an update if the trigger is enabled.
If you have different user groups with different privileges accessing your database, then you should map this about users in the database. For instance you can disallow that a user can disable triggers on a table.
In MS-SQL Server 2008 R2, is there a way to set a table permission to "deny all" (select, insert, update, delete), to all roles and user id (including the future ones), except to sa?
In other words, can a table be made invisible except to sa?
No
db_owner will see it
schema owner can see it
references in a stored procedure won't check permissions
...
If you want an invisible table, put into it's own database and set no permissions at all. No need to DENY, just do not GRANT or CREATE USER