i'm developing a simple windows application (C#, WinForms, ADO. NET). Application should have a following functionality:
create a login and corresponding user in my database (database1);
add roles to new user (role names: rol1, rol2).
New login can (1) and (2) and so on.
How should I do it ?
What I want:
script for creating an initial user which can do (1) and (2).
script for creating new login+new user+add new roles.
Here's a basic script for adding a new login, user and role:
-- Create login
if not exists (select * from sys.syslogins where name = N'TheLogin')
CREATE LOGIN TheLogin WITH PASSWORD=N'ThePassword',
DEFAULT_DATABASE=TheDatabase, CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
-- Create user
use TheDatabase
if not exists (select * from sys.sysusers where name = N'TheLogin')
CREATE USER TheLogin FOR LOGIN TheLogin
IF DATABASE_PRINCIPAL_ID('TheRole') IS NULL
create role rol1
exec sp_addrolemember 'TheRole', 'TheLogin'
-- Grant rights
grant select on TheView to TheRole
A login is server-wide, and controls if you can log into the server. A user is database specific, and controls what rights you have in a database.
Related
I have created a user in PostgreSQL.
then I have created a role
and granted the role to the user.
now I want to write row level policy for the current user with some role permission
sql:--
create user martin;
create role role_manager;
grant role_manager to martin;
CREATE POLICY student_rls_policy
student
FOR ALL
TO role_manager
USING (name = **?**);
Now I want to pass current_user role at?
I have a sql script to create a login and user as follows:
USE [master]
GO
CREATE LOGIN [MyLogin] WITH PASSWORD=N'MyPassword',
DEFAULT_DATABASE=[MyNewDatabase],
DEFAULT_LANGUAGE=[us_english],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF
USE [MyNewDatabase]
GO
CREATE USER [MyLogin] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[MyLogin]
exec sp_addrolemember db_datareader, MyLogin;
exec sp_addrolemember db_datawriter, MyLogin;
GO
CREATE SCHEMA [MyLogin]
GO
However, I only want all of this to happen if the login doesn't exist. If I try and wrap it in a 'IF NOT EXISTS....BEGIN...END' it wouldn't work as the GO statements would override it. I need the 'GO' after the login so it can then be used for the creation of the user. So how can I make sure the login doesn't exist before trying to create both login and user?
SQL Server doesn't support syntax such as CREATE {object} IF NOT EXISTS. It did introduce CREATE OR ALTER syntax in SQL Server 2017, however, that is only for objects where the object CREATE statement must be the only one in the batch.
For objects that don't need that, such as a LOGIN and USER, you can check if the object exists using an IF and NOT EXISTS. For example:
USE master;
GO
IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE [name] = N'MyLogin')
CREATE LOGIN [MyLogin]
WITH PASSWORD=N'MyPassword',
DEFAULT_DATABASE=[MyNewDatabase],
DEFAULT_LANGUAGE=[us_english],
CHECK_EXPIRATION=OFF,
CHECK_POLICY=OFF;
GO
USE [MyNewDatabase];
GO
IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE [name] = N'MyLogin')
BEGIN
CREATE USER [MyLogin] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[MyLogin];
ALTER ROLE db_datareader ADD MEMBER MyLogin; --Don't use sp_addrolemember is has been deprecated for some time
ALTER ROLE db_datawriter ADD MEMBER MyLogin; --Don't use sp_addrolemember is has been deprecated for some time
END;
I have created two new users and a new role. Given select privilege to the role for one table in schema A and assigned this role to user b. While issuing a select query for the table in schema a with this user I am experiencing table or view not found issue.
CREATE USER READUSER1 IDENTIFIED BY readuser1;
CREATE USER READUSER2 IDENTIFIED BY readuser2;
CREATE ROLE READONLY_USER IDENTIFIED BY readonlyuser;
GRANT select ON READUSER1.TESTA TO READONLY_USER;
GRANT READONLY_USER TO READUSER2;
Now from READUSER2 session :
SELECT * FROM READUSER1.TESTA > 00942. 00000 - "table or view does not exist"
I assume that you created the table successfully in the readUser1 schema though you don't show that step.
When logged in as readUser2, what roles are enabled for the session?
select *
from session_roles
I'll wager that the role is not enabled for the session. Normally, you don't set passwords on roles because you normally want those roles to be available to the user as soon as they log in. If you set a password on a role, however, then every time the user creates a new session, they have to explicitly enable the role by specifying the password. That's quite useful in some unusual situations but it's not the norm.
Assuming that readonly_user does not appear in session_roles, you can enable the role using the set role command
set role readonly_user
identified by readonlyuser;
Once you've done that, the role should appear in session_roles and you should be able to query the table.
Normally, though, you'd have created a normal role not a password protected role by omitting the identified by clause
create role readonly_user;
I would like to have user who can read and insert data to all tables within one schema. I've executed following SQl statements:
CREATE SCHEMA ABC;
CREATE USER MyUser with PASSWORD '12345678';
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA ABC TO MyUser;
When I try to login with this user I am getting exception: Role 'MyUser' does not exists.... What is not correct here?
How to Define Privileges Upon Role Creation
Now, we are ready to recreate the "demo_role" role with altered permissions. We can do this by specifying the permissions we want after the main create clause:
CREATE ROLE role_name WITH optional_permissions;
You can see a full list of the options by typing:
\h CREATE ROLE
We want to give this user the ability to log in, so we will type:
CREATE ROLE demo_role WITH LOGIN;
CREATE ROLE
If we want to get to this state without specifying the "login" attribute with every role creation, we can actually use the following command instead of the "CREATE ROLE" command:
CREATE USER role_name;
The only difference between the two commands is that "CREATE USER" automatically gives the role login privileges.
here or here about PostgreSQL User Administration.
Thanks
UPDATE
We want to give this user the ability to log in, so we will type:
CREATE ROLE demo_role WITH LOGIN;
CREATE ROLE
If we check the attributes \du
demo_role | | {}
my user name was case sensitive. using small letters solves problem.
I’m developing a web based application with PostgreSQL as the back End Database & perl handling the scripting
I hold the login info in a separate file similar to advice here where to store global database connection parameters so depending on what the script needs to achieve it could point to different login credentials Currently it’s the default PostgreSQL account this obviously needs changing.
I need to get my head around how to set up user accounts in PostgreSQL
I think I need two one that allows users to query the Database eg web_user the other will need to submit changes eg web_admin.
The web_admin account will need to log into the webpage
In pgAdmin or on the command line how do I create the login Rolls and give the what ever the required permissions are?
EDIT Please Clarify
I’ve had a stab at creating two accounts but am unclear if this is correct way to do it
CREATE USER web_user PASSWORD 'password1';
GRANT SELECT to web_user on Table1; // Read Only
CREATE USER web_admin PASSWORD 'password2';
GRANT SELECT,INSERT,UPDATE,DELETE to web_admin on Table1; // Read Insert and update / delete rows within a existing table but not able to create, alter or delete a Table or column
Edit 2 ooops
So I’ve executed the following in pgAdmin window
CREATE USER web_user PASSWORD 'password1';
GRANT SELECT to web_user in schema PUBLIC; // Read Only
CREATE USER web_admin PASSWORD 'password2';
GRANT SELECT,INSERT,UPDATE,DELETE to web_admin in schema PUBLIC
The web_user account allows just read access to a database the problem the web_admin account has the same read access
I’ve tried drop web_user & revoke by
revoke all privileges on database mydb from web_admin;
but it fails with errors about dependencies listing all tables in mydb
I've attempted to see what privileges web_admin actually has but have been unable to.
How do I drop this account
What is wrong with the syntax for grant web_user?
To create users you can use CREATE USER command in SQL. (it is the same as CREATE ROLE ... WITH LOGIN) Afterwards you use GRANT to grant privileges.
I'm not sure what you mean by "default PostgreSQL account". If you are talking about "postgres" account, it's superuser, and has rights to everything.
The topic of privileges, and securing is quite complex, I wrote about it at least couple of times:
How to grant privileges on all tables in PostgreSQL < 9.0
How to grant privileges on all tables in PostgreSQL > 9.0
How to secure your database