Sql-server – Accessing Table Data ONLY From View

permissionssql serverview

I have a table '[Employee]' , and I want to allow access to certain people only through [View] , using a grant.I am trying first to do it with a single user [User] and then do it for a collection of users through a role. I know I can use :

GRANT SELECT ON OBJECT : : [VIEW] TO [User] ;

And I can also create a role [Role] , and use:

GRANT SELECT ON OBJECT : : [VIEW] TO [Role]

My question is whether this permission somehow implicitly excludes all others,
i.e., do the two grants above prevent any of the [Users][Roles] from having any other type of access to '[Employee]' ( Read, Select, Update ), or do I have to expressly prohibit said users, roles from having additional access?

I assume this has to see with membership of [User] and the people in [Role] in other logins or existing user types which may have been granted said permissions either explicitly or as part of role membership? Thanks.

Best Answer

Unless you grant SELECT to 'public' role, you must explicitly grant access to each user, group or database role.

For simplicity, you can create a new database role, (i.e. my_users), then grant select to this role and finally add new users to the role.

Related Solutions

When creating views, why do users need direct object permissions if they already have the same permissions via a role

While you may have a lot of users, it would be unusual for them to require their own views. The views should be in one schema (possibly the one owning the tables) and the users should query them by either prefixing the schemaname (eg vwowner.view) or using the

ALTER SESSION SET_CURRENT_SCHEMA=vwowner

Roles are transient. You can do a SET ROLE NONE to turn them all off. You can have multiple sessions for the same account with different roles enabled. That isn't compatible with the way that Oracle handles objects (where they are either valid or they are not; they can't be valid for some sessions and not for others).

Oracle – list users with access to certain tables

List all users who have been assigned a particular role

-- Change 'DBA' to the required role
select * from dba_role_privs where granted_role = 'DBA'

List all roles given to a user

-- Change 'PHIL@ to the required user
select * from dba_role_privs where grantee = 'PHIL';

List all privileges given to a user

select
  lpad(' ', 2*level) || granted_role "User, his roles and privileges"
from
  (
  /* THE USERS */
    select 
      null     grantee, 
      username granted_role
    from 
      dba_users
    where
      username like upper('%&enter_username%')
  /* THE ROLES TO ROLES RELATIONS */ 
  union
    select 
      grantee,
      granted_role
    from
      dba_role_privs
  /* THE ROLES TO PRIVILEGE RELATIONS */ 
  union
    select
      grantee,
      privilege
    from
      dba_sys_privs
  )
start with grantee is null
connect by grantee = prior granted_role;

Note: Taken from http://www.adp-gmbh.ch/ora/misc/recursively_list_privilege.html

List which tables a certain role gives SELECT access to?

-- Change 'DBA' to the required role.
select * from role_tab_privs where role='DBA' and privilege = 'SELECT';

List all tables a user can SELECT from?

--Change 'PHIL' to the required user
select * from dba_tab_privs where GRANTEE ='PHIL' and privilege = 'SELECT';

List all users who can SELECT on a particular table (either through being given a relevant role or through a direct grant (ie grant select on atable to joe))? The result of this query should also show through which role the user has this access or whether it was a direct grant.

-- Change 'TABLENAME' below
select Grantee,'Granted Through Role' as Grant_Type, role, table_name
from role_tab_privs rtp, dba_role_privs drp
where rtp.role = drp.granted_role
and table_name = 'TABLENAME' 
union
select Grantee,'Direct Grant' as Grant_type, null as role, table_name
from dba_tab_privs
where table_name = 'TABLENAME' ;

Best Answer

Related Solutions

When creating views, why do users need direct object permissions if they already have the same permissions via a role

Oracle – list users with access to certain tables

Related Question