I use iNavigator for data extraction and my team consists of 20 analysts with individual user id's. The analysts save their final data tables in a common library, down load the data and send it to the users. Issue is that analysts are unable to down load tables created by others (i.e. I'm unable to down load a table created by my colleague when he's on leave). Is there a sql command which can be given while creating the tables in iNavigator.
Sounds like you are using long SQL names on your tables instead of short system names. That being the case, the documentation says:
Table authority: If SQL names are used, tables are created with the
system authority of *EXCLUDE to *PUBLIC. If system names are used,
tables are created with the authority to *PUBLIC as determined by the
create authority (CRTAUT) parameter of the schema. If the owner of the
table is a member of a group profile (GRPPRF keyword) and group
authority is specified (GRPAUT keyword), that group profile will also
have authority to the table.
So you can either remember to grant authorities to other developers after creating the table or as mentioned above; you can make all your developers members of the same group (GRPPRF) and have their profiles default (CRTAUT) to group ownership of newly created objects.
Related
I am new to Postgres, sorry if the question is basic:)
I need to create a personalized role for any customer already existing in the DB.
Role name must be client_{first_name}_{last_name} (without curly brackets).
Also, this customer can only access his own data in "table_1" and "table_2" tables.
I took ALICE STEWART (id 51).
What I did:
I created role Customer with Select privilege. Then tried to create role for ALICE STEWART and I get an infinite recursion error.
But how to create role for one customer so that he could access only his info in 2 tables?
How to do that properly?
There is nothing wrong with personalized database users, but I would only consider that if you don't have very many users. I wouldn't want to deal with a pg_authid that contains 100000 users.
I would not play this with permissions, but with row level security. The exact way in which that would work depends on your data. The easiest way is to have and owner column that lists the user that can see the data.
Watch out for overly complicated policies, as they will make your queries slow.
I have a user performing a data import into Dynamics CRM. The partial error on the import says the user does not have enough privileges to access the Dynamics CRM Object for 2 lookup columns. One of them the user imported. The importer can see both the lookup list values. Can someone explain the proper permissions required for the user performing the data import?
You mentioned they can see, ie Read privilege. Check Write privilege as well.
Most importantly, Lookup attribute import needs AppendTo & Append privileges in respective entities.
When you are importing EntityA having EntityB lookup, importing User should have a security role with AppendTo in EntityA & Append in EntityB privileges + appropriate (user/BU level) access levels
Verify the AppendTo & Append privileges of those entities.
I assume you already verified these mentioned privileges.
Update:
Seems like custom Power user role (probably created from scratch) is throwing problems. Always start with cloning OOB security roles like salesperson & fill out the needed privileges. This helps to carry the hidden privileges.
Avoid giving highest privilege like Sys.Admin which will give users more than what needed, for ex. Bulk delete button will appear in Delete ribbon flyout & once my user configured Bulk delete job assuming record deletion action.
Atleast remove it once the import job is done.
We are developing an Access application with a SQL Server backend. We have a table that has records that belong to division A, B or C. The users also belong to role A, B or C. We want each user to see only their corresponding division records, as well as only certain columns.
I've thought of two ways, one making different queries for each role and then, based on the user's role, change the source object of the form. However I don't know if it is possible to retrieve it from SQL SERVER with VBA (all VBA documentation I've found so far is quite lacking).
The other solution I thought was to implement this on the server, however I don't know how a T-SQL query or view could fetch only the information needed based on the user's role
Any ideas?
PS: I can't use functions or stored procedures. For some reason the SQL Server we have been provided has them disabled and IT Ops won't enable them (Don't know the logic behind that).
Okay, it's been a while since I posted this but I'll post the solution I came up with in the end. VBA is not quite necessary in this case. It can be done perfectly with views.
To retrieve the users roles, (inner) join the table database_role_members twice with the database_principals one. Join by Id (from database_principals) on both fields. With this, you get a list of all roles and their corresponding users. To get the roles of the user querying the database simply add a where clause that checks that the user name corresponds with the function USER_NAME.
Then, don't give permission to those roles to access the table we want to restrict access to. Instead, make a view that fetches info from that table and add a where clause that looks up the value from a column against the query that retrieves the user roles.
With this you can make a link in access to the view and will allow you to see only the records that correspond to the user roles.
While this approach is easy, it doesn't allow for more complicated row level security. For a more powerful approach it might be useful to check the following link.
https://msdn.microsoft.com/en-us/library/dn765131.aspx
You could create the same tables with different schemas and assign user rights to different schemas. For example, instead of using dbo.Users you could have Accounting.Users and Warehouse.Users. Assign users in an accounting group to the Accouting schema. Or as suggested above those could be views within a schema that select data from underlying tables.
I really hope someone has some insight into this. Just to clarify what I'm talking about up front; when referring to Schema I mean the database object used for ownership separation, not the database create schema.
We use Sql Server Schema objects to group tables into wholes where each group belongs to an application. Each application also has it's own database login. I've just started introducing database roles in order to fully automate deployment to test and staging environment. We're using xSQL Object compare engine. A batch file is run each night to perform comparison and generate a script change file. This can then be applied to the target database along with code changes.
The issue I'm encountering is as folows. Consider the following database structure:
Database:
Security/Schemas:
Core
CoreRole (owner)
SchemaARole (select, delete, update)
SchemaBRole (select)
SchemaA
SchemaARole (owner)
SchemaB
SchemaBRole (owner)
Security/Roles/Database Roles:
CoreRole
core_login
SchemaARole
login_a
SchemaBRole
login_b
The set-up works perfectly well for the three applications that use these. The only problem is how to create / generate a script that creates schema -> role permissions? The owner role gets applied correctly. So for example, schema Core gets owner role CoreRole (as expected). However the SchemaARole and SchemaBRole do not get applied.
I wasn't able to find an option to turn this on within xSQL object nor does an option to script this from SQL Server management studio exist. Well, I can't find it at least.
Am I trying to do impossible? How does SQL Server manage this relationship then?
I just kicked up SQL Profiler & trapped what I think you scenario is. Try this:
GRANT SELECT ON [Core].[TestTable] TO [CoreRole]
GRANT DELETE ON [Core].[TestTable] TO [CoreRole]
GRANT UPDATE ON [Core].[TestTable] TO [CoreRole]
Is it possible to have Sync Services for ADO.NET read data from a table on multiple devices and insert it into a central SQL Server, having an additional column in the central table with the origin of the row data?
Let's say I have equipped door-to-door sales people with a device where they register sales. The local table would contain rows with sales information, and the central database would contain the same data + a column with the ID of the sales person.
Is that possible, or would I need the sales person's ID in the local database too?
Sync Framework identifies each client with a GUID (see: How To:Use Session Variables) and you can use that to map a particular client to a particular salesperson (see:Identifying Which Client Made a Data Change on either How to: Use Custom Change Tracking System or How to: Use SQL Server Change Tracking.
Or try the approach here for intercepting the change dataset and inserting/substituting the salesperson value: Part 1 – Upload Synchronization where the Client and Server Primary Keys are different