In our Azure Managed Instance DB, a new user has been created and given db_datareader, db_datawritter and db_ddladmin. As per MS Documentation, db_ddladmin has CREATE PROCEDURE and ALTER ANY SCHEMA. But when logged in, I am unable to EXECUTE SPs and Functions. Then, separately gave EXECUTE permission.
Now the question is that under which fixed DB role EXECUTE comes? I am unable to find in MS document.
DB_Owner has execute permission or create your own execute role like below against a database:
-- Create a db_executor role
CREATE ROLE db_executor
-- Grant execute rights to the new role
GRANT EXECUTE TO db_executor
Related
I have a database and there some tables.
There are some users in the table users
I am trying to create a form which the user will be able to get his/her password to his/her email.
I would like to send an automatic email with both username and password (which are fields in the table named 'users')
//you can connect to you database with the following code
mysql_connect(HOST, USR, PSD);
mysql_select_db(DB);
/*where HOST = Database host server eg localhost
USR = Database username
PSD = Databse password
DB = The name of the database that contain the table
*/
place the code after
$id = mysql_real_escape_string($_GET['id']);
PS
using mysql is has been deprecated and remove as of php 7. Try to use PDO or MYSQLI
To connect to a database, please read this page. You need to connect to a database before you can perform any action with SQL in your file. Also consider security when sending account details by mail, especially unencrypted passwords. Even if you're practising it's a good exercise to make a secure system.
I am new to LDAP trying to create schema for User authentication Purpose. DN: uid=55e44a75e4b0f16711714165,ou=people,dc=myDB,dc=com
Every thing is perfect I can add data like cn=Prashant, sn= thorat ,mail=xx#gmail.com,mobile:xxxxx , password=xxxx . And I can Authenticate user using mail and password.
Now I want to mark status here as deleted . So that on login I can Identify User status from LDAP. Is their any attribute or Object to add user status as deleted / active or need to create custom.
ref: http://www.zytrax.com/books/ldap/ape/#contents
There is no deleted attribute in any LDAP schema I am aware of. You could use the pwdAccountLockedTime attribute of the password-policy overlay: set it to 000001010000Z. See here. If you did that you would also have to use the password-policy response control when binding.
I just updated an older post about Rails + Oracle DB and wondered why my rake db:create db:migrate asks me for the SYS/SYSTEM password of the Oracle DB. The Oracle user I have configured at config/database.yml has these permissions:
GRANT CREATE SESSION TO my-user;
GRANT ALTER SESSION TO my-user;
GRANT CREATE SEQUENCE TO my-user;
GRANT CREATE SYNONYM TO my-user;
GRANT CREATE VIEW TO my-user;
GRANT CREATE TABLE TO my-user;
GRANT GATHER_SYSTEM_STATISTICS TO my-user;
GRANT CREATE PROCEDURE TO my-user;
GRANT CREATE TRIGGER TO my-user;
GRANT CREATE DATABASE LINK TO my-user;
GRANT CREATE TYPE TO my-user;
This is what Rails is prompting me for:
Please provide the SYSTEM password for your Oracle installation (set ORACLE_SYSTEM_PASSWORD to avoid this prompt)
I do not understand why, as my-user should have all permissions needed for its own schema.
Any ideas?
It seems that requiring SYSTEM password for rake db:create is hardcoded in the gem.
def create
system_password = ENV.fetch('ORACLE_SYSTEM_PASSWORD') {
print "Please provide the SYSTEM password for your Oracle installation (set ORACLE_SYSTEM_PASSWORD to avoid this prompt)\n>"
$stdin.gets.strip
}
establish_connection(#config.merge('username' => 'SYSTEM', 'password' => system_password))
begin
connection.execute "CREATE USER #{#config['username']} IDENTIFIED BY #{#config['password']}"
rescue => e
if e.message =~ /ORA-01920/ # user name conflicts with another user or role name
connection.execute "ALTER USER #{#config['username']} IDENTIFIED BY #{#config['password']}"
else
raise e
end
end
connection.execute "GRANT unlimited tablespace TO #{#config['username']}"
connection.execute "GRANT create session TO #{#config['username']}"
connection.execute "GRANT create table TO #{#config['username']}"
connection.execute "GRANT create view TO #{#config['username']}"
connection.execute "GRANT create sequence TO #{#config['username']}"
end
Source
As you can see, it also actually creates the user which you set in your database.yml and gives some privileges to it.
It's probably the best to skip rake db:create. You can always create database manually once in production environment, and in development/testing environment it's alright to give SYSTEM access to your Ruby code.
I am trying to work out the "right" way to establish a connection to my database from the server of my DataSnap application.
Each (most) of my tables in the database have fields (whose values are set via a trigger on insert and update) called Updated and Created (this is the current time stamp when the record is written) and updated_by and created_by which (should) contain the currently logged in user.
I want the user to 'login' from the client side such that these fields reflect the user who has logged in (and by extension, I'll get user authentication from the database, not just from the server). I can handle the authentication to the server itself from the client ok handling the OnUserAuthenticate and OnUserAuthorize events on the server. I am trying to then pass the credentials to my database so that the triggers can set the fields stated above correctly.
So what is the way to approach this scenario? I am wonder if the DSAuthProxyUser and DSAuthProxyPassword from the client can be used but I can't find much (any) documentation on how I would use that. Do I establish a new connection for every user who connects? This seems most logical to me. I'm not going to have a lot of concurrent users. Tops 30. Most likely 5-10. But what is the "normal" way this is done? I don't want to (hope I don't have to) pass in the username to each of my insert/updates to set the values in the tables.
I hope I have explained my situation clearly.
Thanks
I haven't used it yet, but it looks to me that the RDB$SET_CONTEXT() and RDB$GET_CONTEXT() introduced in Firebird 2 are what you need. Using these functions, you can set (and get) additional information specific to the user session (namespace USER_SESSION) or the current transaction (namespace USER_TRANSACTION). You can also retrieve additional system information for the current session (namespace SYSTEM), but that is probably not relevant for your case.
What you would need to do is call the RDB$SET_CONTEXT() method in that OnUserAuthorize event, eg using (as a query):
SELECT RDB$SET_CONTEXT('USER_SESSION', 'actualuser', '<name of user')
FROM RDB$DATABASE
Here 'actualuser' is the context variable we use. In your triggers you can then retrieve the name (assuming PSQL, with a declared variable actualuser)
actualuser = RDB$GET_CONTEXT('USER_SESSION', 'actualuser');
You can then use actualuser in the rest of your trigger. Just make sure you also account for the case where the context variable is not set (eg an administrator making direct changes to the database or something like that).
Firebird has the CURRENT_USER keyword which can be used in SQL.
The example below is based on http://www.firebirdsql.org/refdocs/langrefupd15-current_user.html
create trigger bi_customers for customers before insert as
begin
New.created_by = CURRENT_USER;
end
To have the user name for updates, simply declare a before update trigger like
create trigger bi_customers for customers before update as
begin
New.updated_by = CURRENT_USER;
end
This solution requires a 1:1 mapping of database users to external users. In the most simple implementation, it means that the DataSnap session authenticates the user credentials against the database.
In your description however, it seems to be a two step authentification (first against the DataSnap layer, then against the database). I am not sure how this can be done regarding safe password handling, and if you plan to have a separate user/password table only for the first authentication stage (DataSnap) and a user login mapping from DataSnap to database as some kind of 'decoupling'.
I am creating an online survey tool.
As an administrator, i would like to see what the users have answered and also be able to answer on their behalf. The system get's a users answers and other information based on his/her username, when they are logged in, using the built in membership provider.
There are currently three roles: Administrator, Moderator and Respondent
If i would like to show my administrator a list of users,
how would it be possible to create a "backdoor" for the administrator, so that he can "log" in as the user, see the users answers etc ? (Just like the user would be able to if he was logged in to his own account).
When answering and retrieving quyestions, the system is bound to `User.Identity.Name
My suggestion on how to solve this:
Currently, when i want to retrive a users answers i use the following code:
Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
var answers = db.Tabelform_Answers.Where(x => x.question_id == model.Question_ID && x.respondent == Firma_ID);
This is because i have a table named Firma, that has a column referencing to a users Name, called CVR_Nummer. I then retrieve all the records in the Tabelform_Answers table, that match question_id and Firma_ID (A users answers for a specific question).
Instead of using `Firma_ID = db.Firma.Single(x => x.CVR_nummer == User.Identity.Name).firma_id;
to retrive the Firma_ID of a given user, i could store it in the Session upon Login. When i want to view a specific users Answers as Administrator, i would then just change Firma_ID in the Session. Changing Firma_ID in the Session would only be allowed through a controller which has the following code:
[Authorize(Roles = "Administrator")]
Also, i would set the Session timeout to be the same as the Authentication timeout.
Can somebody tell me which pros and cons of this solution? Are there any other ways of storing a "global" variable for a Session? (Firma_ID)?
Thanks
If you only need to log in as your users, I went for a ticket-method.
I have a special login-page that can take a ticket-id. This ticket is created in the admin-gui when the admin wants to log in as another user. The login-page checks the ticket in the database, logs in the wanted user, and then deletes/marks the ticket as used. As an added security, a ticket is only valid for 10 seconds after creation.
Another option is to make answers from users available from the admin-gui...
also you can do in your log-in script override
so you have at present something like
if user name and password match string then user is logged in and based on this you get user permissions
instead have admin page,
where you can select user and then you can apply permissions of the user instead of admin.