I just created a new user and granted connect and select on a single
view, only. When I connect to my database, the new user has at least
select privileges on the whole database. What am I doing wrong or
misunderstanding? How do I discover all the privileges granted on my
database? How do I revoke all privileges and then restore just the ones
I want? Does public get any privileges by default?
14  1684 
Bob Stearns wrote: I just created a new user and granted connect and select on a single
view, only. When I connect to my database, the new user has at least
select privileges on the whole database. What am I doing wrong or
misunderstanding? How do I discover all the privileges granted on my
database? How do I revoke all privileges and then restore just the ones
I want? Does public get any privileges by default?
Bob,
How did you test your hypothesis. I suspect you tried to select from a
SYSCAT view or a SYSIBM table.
By default PUBLIC gets granted SELECT on the catalog objects (SYSCAT,
SYSIBM, SYSFUN and SYSPROC).
In DB2 9 there is a new RESTRICT option that creates the database very
tight to begin with.
On DB2 V8 a simple procedure revoking SEELCT from PUBLIC on these
objects should do just fine.
Something like:
CREATE PROCEDURE revokepublic(IN objecttype VARCHAR(20))
BEGIN
DECLARE revtxt VARCHAR(1000);
DECLARE curtxt VARCHAR(1000);
DECLARE SQLCODE INTEGER;
DECLARE SQLSTATE CHAR(5);
DECLARE objname VARCHAR(128);
DECLARE objschema VARCHAR(128);
DECLARE stmt STATEMENT;
DELCARE cur CURSOR FOR stmt;
SET curtxt = CASE UCASE(objecttype) WHEN 'TABLE'
THEN 'SELECT TABSCHEMA, TABNAME FROM SYSCAT.TABLES WHERE
TABSCHEMA LIKE ''SYS%'''
...
END;
PREPARE stmt FROM curtxt;
OPEN cur;
LOOP
FETCH TABSCHEMA, TABNAME INTO OBJSCHEMA, OBJNAME;
IF SQLCODE = 100 THEN LEAVE; END IF;
SET revtxt = 'REVOKE SELECT ON ' || objtype || ' "' || objschema ||
'"."' || objname || '" FROM PUBLIC';
EXECUTE IMMEDIATE revtxt;
END LOOP;
END
Well, something like that....
Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab
IOD Conference http://www.ibm.com/software/data/ond...ness/conf2006/
Serge Rielau wrote: Bob Stearns wrote:
I just created a new user and granted connect and select on a single
view, only. When I connect to my database, the new user has at least
select privileges on the whole database. What am I doing wrong or
misunderstanding? How do I discover all the privileges granted on my
database? How do I revoke all privileges and then restore just the
ones I want? Does public get any privileges by default?
Bob,
How did you test your hypothesis. I suspect you tried to select from a
SYSCAT view or a SYSIBM table.
By default PUBLIC gets granted SELECT on the catalog objects (SYSCAT,
SYSIBM, SYSFUN and SYSPROC).
In DB2 9 there is a new RESTRICT option that creates the database very
tight to begin with.
On DB2 V8 a simple procedure revoking SEELCT from PUBLIC on these
objects should do just fine.
Something like:
CREATE PROCEDURE revokepublic(IN objecttype VARCHAR(20))
BEGIN
DECLARE revtxt VARCHAR(1000);
DECLARE curtxt VARCHAR(1000);
DECLARE SQLCODE INTEGER;
DECLARE SQLSTATE CHAR(5);
DECLARE objname VARCHAR(128);
DECLARE objschema VARCHAR(128);
DECLARE stmt STATEMENT;
DELCARE cur CURSOR FOR stmt;
SET curtxt = CASE UCASE(objecttype) WHEN 'TABLE'
THEN 'SELECT TABSCHEMA, TABNAME FROM SYSCAT.TABLES WHERE
TABSCHEMA LIKE ''SYS%'''
...
END;
PREPARE stmt FROM curtxt;
OPEN cur;
LOOP
FETCH TABSCHEMA, TABNAME INTO OBJSCHEMA, OBJNAME;
IF SQLCODE = 100 THEN LEAVE; END IF;
SET revtxt = 'REVOKE SELECT ON ' || objtype || ' "' || objschema ||
'"."' || objname || '" FROM PUBLIC';
EXECUTE IMMEDIATE revtxt;
END LOOP;
END
Well, something like that....
Cheers
Serge
Actually I tried a select on one of my own tables, since I granted
SELECT to a VIEW based on one of my tables.
However I figured out what I did wrong. This the new user I was having
so much trouble with last week and one of the straws I grasped was to
make this new user as like some of my working users as possible,
including groups. At least one of those groups must have admin
authorization. As soon as I removed the unnecessary groups, the userid
behaved as I wish.
Thanks for the procedure, I will keep it against future need.
Is everyone with connect authorization in the group public? Is there a
way to make a schema invisible to public?
Bob Stearns wrote: Is everyone with connect authorization in the group public?
Yes, everyone is in the PUBLIC group.
Is there a
way to make a schema invisible to public?
Short of revoking the privileges on all objects in this schema from PUBLIC:
no.
--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Knut Stolze wrote: Bob Stearns wrote:
Is everyone with connect authorization in the group public?
Yes, everyone is in the PUBLIC group.
Is there a
way to make a schema invisible to public?
Short of revoking the privileges on all objects in this schema from PUBLIC:
no.
Can I revoke/exclude someone from the PUBLIC group?
Knut Stolze wrote: Bob Stearns wrote:
Is everyone with connect authorization in the group public?
Yes, everyone is in the PUBLIC group.
Is there a
way to make a schema invisible to public?
Short of revoking the privileges on all objects in this schema from PUBLIC:
no.
PUBLIC has no privileges on any object (according to the error message)
that I don't wish my user to see. When he lists tables/views from my
schema, I want him to see only those he can use.
Bob Stearns wrote: Can I revoke/exclude someone from the PUBLIC group?
No because this wouldn't be a public group any longer.
--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Bob Stearns wrote: PUBLIC has no privileges on any object (according to the error message)
that I don't wish my user to see. When he lists tables/views from my
schema, I want him to see only those he can use.
Then you could do a join with SYSCAT.TABAUTH and filter-out all tables/views
on which the user has no direct or indirect privileges.
--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Knut Stolze wrote: Bob Stearns wrote:
PUBLIC has no privileges on any object (according to the error message)
that I don't wish my user to see. When he lists tables/views from my
schema, I want him to see only those he can use.
Then you could do a join with SYSCAT.TABAUTH and filter-out all tables/views
on which the user has no direct or indirect privileges.
I am not displaying the list, the odbc application is. The users
involved will have access to about a dozen views, out of over 150 tables
and views in the schema (even more when the table display routine shows
all tables/views from all schemas, intermixed). They don't need to see
the large number of "irrelevant" tables (I believe it was Bismarck who
said "Laws are like sausages. It's better not to see them being made."
It applies here to.)
Bob Stearns wrote: I am not displaying the list, the odbc application is. The users
involved will have access to about a dozen views, out of over 150 tables
and views in the schema (even more when the table display routine shows
all tables/views from all schemas, intermixed). They don't need to see
the large number of "irrelevant" tables
Well, in a way that sounds to me as if your application is not doing what it
should, i.e. request only the "relevant" tables in the first place.
--
Knut Stolze
DB2 Information Integration Development
IBM Germany
Knut Stolze wrote: Bob Stearns wrote:
I am not displaying the list, the odbc application is. The users
involved will have access to about a dozen views, out of over 150 tables
and views in the schema (even more when the table display routine shows
all tables/views from all schemas, intermixed). They don't need to see
the large number of "irrelevant" tables
Well, in a way that sounds to me as if your application is not doing what it
should, i.e. request only the "relevant" tables in the first place.
I didn't write the applications. I want to use things like m$excel,
m$access, sas, etc.
Bob Stearns wrote: I didn't write the applications. I want to use things like m$excel,
m$access, sas, etc.
Why you drive Volkswagen if you can afford a Porsche?
Bernd
Bernd Hohmann wrote: Bob Stearns wrote:
I didn't write the applications. I want to use things like m$excel,
m$access, sas, etc.
Why you drive Volkswagen if you can afford a Porsche?
Bernd
I don't. That is what my end users (twice separated from me) know and want.
Bob Stearns wrote: I didn't write the applications. I want to use things like m$excel,
m$access, sas, etc.
Why you drive Volkswagen if you can afford a Porsche?
I don't. That is what my end users (twice separated from me) know and want.
Uhh.... You're in bad company.
Unfortunately I cannot help you in this case :-(
Bernd
Bob Stearns wrote: Knut Stolze wrote: Bob Stearns wrote:
I am not displaying the list, the odbc application is. The users
involved will have access to about a dozen views, out of over 150 tables
and views in the schema (even more when the table display routine shows
all tables/views from all schemas, intermixed). They don't need to see
the large number of "irrelevant" tables
Well, in a way that sounds to me as if your application is not doing what
it should, i.e. request only the "relevant" tables in the first place.
I didn't write the applications. I want to use things like m$excel,
m$access, sas, etc.
So what _is_ the application doing exactly? Depending on how it determines
the relevant (and irrelevant) tables, we may be able to slip something in
that does the filtering.
--
Knut Stolze
DB2 Information Integration Development
IBM Germany This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Amardeep Verma |
last post by:
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?
Thanking you in Advance
Have a nice day
|
by: Charles Cantrell |
last post by:
I have recently set up mySQL on a Mandrake release of Linux (Version 7 of
Mandrake, I believe), using the binary 4.0.13 standard release.
The set up and start up all were normal, as far as I...
|
by: maxwell |
last post by:
mysql Ver 3.23.54
Having read, as best I could, the docs at http://www.mysql.com/documentation ...,
on host (Linux from scratch, kernel 2.4.20) "mysql.here.com" I enter:
mysql> GRANT ALL...
|
by: usaims |
last post by:
Hello:
I have just created a user with specific permissions to certain tables
in different databases. Now I have to create serveral more users with
the same permission. Is there a command in...
|
by: Andy S. |
last post by:
Hi,
I'm new to DB2. I want to view all the exisiting privileges (i.e. which
users have which privilegens) for a given stored procedure that exists
on the database.
How do I do this?
Thanks...
|
by: virgilio |
last post by:
Hi all,
"Administrator Guide Implementation" DB2 8.2, chapter 7, section
"Indirect privileges through a package" states:
(highlight >>>>!!!<<<<)
"Privileges granted to individuals binding the...
|
by: steingold |
last post by:
Hi All.
Is it possible to define an external stored procedure to be executed
not with the executing user privileges, but instead with the user who
created the stored procedure privileges in db2...
|
by: EricBlair |
last post by:
Hello, I wrote a windows service that is supposed to start an interactive GUI app. I realize a service will not readily do this so I've pieced together the code below to bypass that. However, the...
|
by: Frank Swarbrick |
last post by:
I feel like an idiot for asking this, but neither I nor my DBA can figure
this out.
How do you create a database object that does not implicitly allow access by
any defined user?
For instance,...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
