I have created a role in DB2 and granted some object level access to that role and next ranted that role to some users. How Can I identify which user is having this role and due to that what access the user is having object level.
The DB2 function AUTH_LIST_AUTHORITIES_FOR_AUTHID probably is what you are looking for. In the background it queries the system catalog tables for entries of that specified user. If you are only looking for certain object types, you could directly query a single catalog table, e.g., SYSCAT.TABAUTH for who has access to tables. There is a column for GRANTEETYPE and a value to indicate "role".
You can find users and their roles by querying SYSCAT.ROLEAUTH.
you can use db2look tool to extract the information regarding all the access that particular role carrying or what access is being carrying by the user...
db2look -d database_name -x -o db2look.out
Related
Is it possible in PostgreSQL to give a specific user or group on edit rights only to one schema?
I need the user to only change the objects in the schema. Similar to superuser rights, but only for one schema.
Thank for advance
The best setup in your case is probably the following.
Let's assume that the schema and the objects therein are owned by object_owner and the user that should have “superuser” privileges is called wannabe.
Then you can do:
ALTER ROLE wannabe NOINHERIT;
GRANT object_owner TO wannabe;
That allows wannabe to become object_owner by running
SET ROLE object_owner;
similar to using su in UNIX. Use RESET ROLE to step down again.
According to the documentation the dbname connection parameter defaults to the user name:
dbname
The database name. Defaults to be the same as the user name.
In certain contexts, the value is checked for extended formats;
see Section 31.1.1 for more details on those.
My first question is: what happens if there is no database that corresponds to the user name - and is there a way to define a default other than the database that has the same name as the user name? (How can this be achieved?)
My seconds question is: once connected to a database can a default schema be defined for the user? (How can this be achieved?)
Users cannot be set with a default database, because the decision of which database to connect to is a client-side one made before the server is first connected to.
It's not the PostgreSQL server with that default, it's libpq and the client tools like psql. Those tools examine the PGDATABASE environment variable, so you can set that, but you have no control over the behaviour from server-side.
You can set a default for the schema search path, as #a_horse_with_no_name notes, with
ALTER ROLE rolename SET search_path = ....
I am creating a PostgreSQL user for a in internal dashboard where I want the user's access to the db to default to read-only.
I did some research, and it seems to be a bit complex to create a read-only user who also inherits access to any new tables, materialized views, etc.
So I think the simplest thing is just to set:
ALTER USER readuser SET default_transaction_read_only = on;
How do I set this using the Ansible PostgreSQL modules?
I'm not sure if I should be using the postgresql_privs or postgresql_user module. I tried experimenting with different values for the priv attribute, but couldn't get anything to work.
I'm aware that this is not guaranteed read-only, as the user could just change the type of transaction at runtime. However, it will be just fine for my usecase since security isn't an issue, I just want to protect against ignorant users accidentally modifying data. If someone is knowledgable enough to change their transaction, I'd rather assume they know what they're doing and have a legitimate reason for it.
I'm not sure if I should be using the postgresql_privs or
postgresql_user module. I tried experimenting with different values
for the priv attribute, but couldn't get anything to work.
Did you tried to revoke privs?:
# REVOKE INSERT, UPDATE ON ALL TABLES IN SCHEMA public FROM reader
# "public" is the default schema. This also works for PostgreSQL 8.x.
- postgresql_privs: >
db=library
state=absent
privs=INSERT,UPDATE
objs=ALL_IN_SCHEMA
role=reader
Note:
To revoke only GRANT OPTION for a specific object, set state to
present and grant_option to no (see examples http://docs.ansible.com/ansible/postgresql_privs_module.html).
Note that when revoking privileges from a role R, this role may still
have access via privileges granted to any role R is a member of
including PUBLIC.
Note that when revoking privileges from a role R, you do so as the
user specified via login. If R has been granted the same privileges by
another user also, R can still access database objects via these
privileges.
I am fairly new to Postgresql, and this is the situation:
I have many databases on one instance
I have many users, each map 1-1 with a database (e.g. Each user can connect to only one database)
Each user is EITHER Read/Write or Read Only
Now I have figured out how to do this one way, but seems clunky:
Create a Group Role for each User
Create a Login Role for each User
Grant default privileges to Group role on relevant database
However, I'd rather just have one login role for each user, and this role would have a "Type" of READONLY/READ WRITE. Each user would have these rights on ONLY one database.
Any suggestions how that might be achieved?
Ok, after writing this out, solved the problem!
Create Group roles "admin_ro", and "admin_rw"
Create user roles, as members of one of the above
Grant "Connect" to user role on individual databases
Grant the relevant default privileges to the "group role" on the database
From the PostgreSQL docs:
The concept of roles subsumes the concepts of "users" and "groups". In
PostgreSQL versions before 8.1, users and groups were distinct kinds
of entities, but now there are only roles. Any role can act as a user,
a group, or both.
Why did they make this change in 8.1?
Perhaps it's easier from the C coders point of view, with a single Role class (struct)?
More details:
CREATE USER is equivalent to CREATE ROLE except that CREATE USER gives the LOGIN permission to the user/role.
(I'm about to design a permission system for my webapp, hence I'm interested in this.)
The merge has many advantages and no disadvantages. For instance, you can now seamlessly convert a "user" to a "group" and vice versa by adding / removing the LOGIN privilege.
ALTER ROLE myrole LOGIN;
ALTER ROLE myrole NOLOGIN;
Or you can GRANT membership in any other login ("user") or non-login role ("group") to a role:
GRANT joe TO sue;
You can still:
CREATE USER james;
That's just a role with login privilege now. Or:
CREATE GROUP workers;
That's effectively the same as CREATE ROLE now.
The manual has it all.
I found this thread in the PostgreSQL-Hackers list, from June 6, 2003, that in the end suggests that users and groups and roles be consolidated. (Thanks Craig Ringer for suggesting that I check the pgsql-hackers list archives.)
Here are some benefits mentioned (those that I found).
allow groups to have groups as members
the ACL code would be simplified
the GRANT/REVOKE syntax and the display format for ACL lists could be
simplified, since there'd be no need for a syntactic marker as to
whether a given name is a user or a group.
In some circumstances I could see it making sense to allow logging in
directly as a group/role/whatchacallit
This would also solve the problem that information_schema views will
show only owned objects
[makes it easier to] representing privileges granted to groups [since
you'd simply reuse the role related code?]
From the manual:
The SQL standard defines the concepts of users and roles, but it
regards them as distinct concepts and leaves all commands defining
users to be specified by each database implementation. In PostgreSQL
we have chosen to unify users and roles into a single kind of entity.
Roles therefore have many more optional attributes than they do in the
standard.
Having a distinction between users and groups doesn't gain you anything.
AFAIK the motivation for changing it was to simplify uses like:
One user masquerading as another, eg a superuser simulating a reduced permissions user. With unified roles this becomes just another change of current role, no different to changing primary group.
Groups that are members of other groups to implement granular access permissions.
If you want the details, though, you're best off checking out the archives of the pgsql-hackers list for the period, and the git history (converted from CVS).