I have created a procedure with sysadmin role. I have granted usage for a new role I have created (role name New_role).
The issue is that users that have permissions to the new_role can't see the procedure body (while executing get_ddl or describe procedures).
How can users that have only permissions on the New_role view/see the procedure's body?
I don't want to give sysadmin to the new role but I would like him to have the option to view the procedure's body
Thanks
There's not a grant that allows for this particular permission without ownership. However, there are a couple of workarounds. the simplest one is to create a veiw that is owned by the same role that owns of the procedure, which retrieves the procedure definitions. Then you can grant select access to that view to whatever roles you like.
Something like this
USE SYSADMIN;
USE MY_DB;
CREATE VIEW MY_SCHEMA.PROCEDURE_DEFINITIONS AS
SELECT PROCEDURE_SCHEMA, PROCEDURE_NAME, ARGUMENT_SIGNATURE, PROCEDURE_DEFINITION
FROM INFORMATION_SCHEMA.PROCEDURES;
GRANT SELECT ON VIEW MY_SCHEMA.PROCEDURE_DEFINITIONS TO NEW_ROLE;
Related
I've got a table called proc_logs that is intended to be used for logging/troubleshooting stored procs. I'd like to create a stored proc that inserts into this table and adds a timestamp. I'd like any stored proc in any other database in my account to have rights to call this procedure.
First attempt at this is:
grant USAGE on procedure WRITELOG(string,string) to PUBLIC
However I think this would only apply to the PUBLIC schema in the same database. Is this "cross-database" proc considered a terrible idea? How can I grant usage on that proc to any other proc executing in my account? Do I need to create a "logger" role and grant that role to all of my functional roles or do procedures use a special role? Also keep in mind that anyone who has the usage rights on that proc also needs to be able to select from it.
Besides using Usage Privilege Then why not use CREATE PROCEDURE WITH EXECUTE OWNERS RIGHT , with this Statement the procedure would be executed with Owner's right ; even if Caller has no privilege to insert the data into table proc_logs the procedure would execute with Ownwer's right and Caller would be able to Insert the data into this table.
Read this material when to use Execute Procedure With Owner right or Caller right.
https://docs.snowflake.com/en/sql-reference/stored-procedures-rights.html
lets say we have a 2 organization network (OrgA and OrgB) both organizations have there own "Admin" identity that can issue identities. If the admin identity for OrgA issues a identity for a participant "ParA", how can one prohibit OrgB to issue a identity for that participent?
You can use ACLs to restrict the kind of participants created or that are viewable, by either Organisation's admins. Simplest way is designated participant classes for each Org and control access to participants by class
Alternatively, they can be in the same participant class but have identifying Org metadata, ie. where you DO insist that the participants are created in the same participant class. Then (with ACLs in place) the org admin from 'another org' won't have the capability to bind an identity he issued, to the 'wrong' participant (ie one he should not even see, to bind it to), because a condition check in the ACL will prevent the access.
eg
rule myRule1 {
description: "Org admin can see/access/create participants matching own org"
participant(p): "org.acme.nwk.IssuerAdmins" // ie only someone of this class, can 'issue identities' -
operation: ALL // (CREATE, READ, UPDATE, DELETE) // do everything, for IDs in their Org ?
resource(r): "org.acme.nwk.myParticipants"
condition: (p.organisation == r.organisation) // can ONLY see or do anything with participants from own Org
action: ALLOW
}
An Org Admin from a 'different' org - can issue identities, but will not be able to see a participant 'not in his/her Org' (to try map to his own org's identities).
Its possible to be more 'succinct' and base it on data, but putting complex javascript evaluations (check the attribute value for an Org pattern sequence etc) adds more overhead, if large amounts of data is being compared against.
you could also do another way:
Similar to the problem mentioned as below
How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar
I am trying to solve below scenario Using acl spring security
We got a scenario to share the students result to group of teachers.In this scenario when a teacher login he can see the result only if teacher have read permission on Result object.If we need to share the result to group of teachers having 10 members in the group with read permission we need to give 10 entires in ACL_Entry table .This would be complicated as entries will increase with increase in group members and increase in permissions.Is there any other way such that if i share the result to group there will only one acl entry with group having read permission on result object with which automatically the teachers should get permission to read the object.Can you also explain with example how the schema would be.
Please help
Possible duplicate:
spring-security-authorization-for-custom-usergroups
If you look at this question you will find this possible solution:
I am using user groups with ACL mechanism. Basically I make sure that when ACL is created for an object the owner is set. Then when another user tries to access this object the owner's groups are checked to see if there is a match.
This of course means that when user changes his groups then the object 'goes with him'.
If you don't want this behavior you can have group object's ACL as a parent acl for a secure object. Then when a user changes groups you should set the correct entries for group object ACL. This way the secure object is tied to the user group not the user himself.
Spring Security Domain Object Security (ACLs)
These are actually two other possibilities different to what is described in the question you linked.
There is also a brief conversation in the comments of the question I linked so make sure to read it if you are intrigued.
To sort out the above problem I used below approach.
I have users and user_role table in my schema.I m using db as authenticion manager in security context.
SchoolA is already the user of my application.
Whenever a teacher is added to schoolA Group .I m adding schoolA as role to the teacher along with user role.while sharing result object to the schoolA group with read permission .I m considering schoolA as a GrantedAuthoritySid instead of PrincpalSid. So principal column will be false for SchoolA sid in ACL_SID table.Whenever teacher logs in while getting the results we check whether the teacher has read permission on the result object.but as teacher has schoolA role and schoolA role is having read permission. I m able to get the result object when teacher logs in. In this way I solved my above problem.
In the user api docs it is mentioned that to change the user's role at the organization level we need to use the schema "PUT /d2l/api/lp/(D2LVERSION: version)/users/(D2LID: userId)"
This requires UpdateUserData JSON block as input, but the UpdateUserData JSON block does not have a role id in it. How, then, will we pass the new role of the user?
Role applies to a particular level in the organization so is not an intrinsic property of a user but rather property of the relationship between a user and the org or user and the org unit (department, course etc).
So you could delete and then create the user’s enrollment at the org level . (Id for the org level is retrieved with org info call )
The operation to delete the enrollment is on the enrollment page. And the operation to create the enrollment is on the same page.
However, it is NOT typical for a user to have no enrollment at the org level (e.g. if there was a connection interrupt between delete and create it is not clear what that state of not being enrolled in the org would mean)
I am not sure this fits your application, but, more typical than adding and removing enrollments at the org level is to add and remove them in a particular org level. That way the user always has a presence in the org, but, you can govern permissions via that org unit.
(i saw Demo Dirt - but it use for HTTP Web and i Don't know how switch it to TCP/IP)
I'm new from Delphi - I need help about use DataSnap and Client Login form (check user password from SQL Server) then apply role. Any code or answer will be appreciate
Thank in advance
I'd be happy to help you if you could explain a bit more clearly what you want to do and what currently isn't working. (What you are trying to accomplish with the application, What you have so far for authentication, and what exactly you are stuck on.)
If you want to start from scratch, this is what you'd do:
Use the "DataSnap Server" wizard to create a new server project. This will use Indy (Instead of WebBroker) and will allow for TCP/IP connections. (even for Heavyweight callbacks.)
While setting the properties in the wizard, make sure to check the "Authentication" option ("Authorization" isn't required. Only if you want a more complicated authentication/authorization mechanism.)
Open the ServerModule unit the wizard generated, and switch to the code tab
Find the "DSAuthenticationManager1UserAuthenticate" function (added automatically if you checked Authentication in the wizard.)
In this function, do your authentication... you have access to the user name ("User") and password ("Password"). Connect to a database, and see if there is a matching user, and what roles the user has. Then, populate the UserRoles collection passed in to this method with all the roles the user has.
Once you specify roles on a user, those do nothing until your server methods also have allowed or denied roles assigned to them. You can do this in the TDSAuthenticationManager component at design time in the Object Inspector. (ServerModule form). There is a Roles collection you can modify.
Or, you can add attributes in code to your server methods. You can put this for example:
[TRoleAuth('admin')]
function EchoString(String: Value): String;
That will mean EchoString can only be invoked by a user with the 'admin' role.
Or this:
[TRoleAuth('', 'admin')]
function EchoString(String: Value): String;
Which would mean anyone EXCEPT a user with the 'admin' role can invoke EchoString.
Or this:
[TRoleAuth('admin,guest,visitor')]
function EchoString(String: Value): String;
Which would mean any user with 'admin', 'guest', or 'visitor' as one of their roles (or any combination) can invoke EchoString.
NOTE: To use the TRoleAuth attribute, you need to add the DSAuth unit to your uses clause, otherwise the role attributes will be ignored.
On the client, add a TSQLConnection component. Set the driver to "Datasnap" then expand it. Set the host and port values. See more on setting this up here:
http://blogs.embarcadero.com/mathewd/2011/07/12/programmatically-set-datasnap-credentials-on-a-tsqlconnection/
Also, I've previously posted on my blog about authentication:
http://blogs.embarcadero.com/mathewd/2010/09/12/authentication-and-authorization-with-datasnap-and-rest/
I hope that helps.
Mat