 |
|
| Computers Forum Index » Computer - Databases - Sybase » User with read only access.... |
|
Page 1 of 1 |
|
| Author |
Message |
| ... |
 Posted: Tue Jun 09, 2009 6:21 pm |
|
|
|
Guest
|
Dear Experts,
I need a new user to be created with a read only access to some tables
and no access to all other objects. My DBA told me it is impossible in
Sybase because all new users belong to the "public" group which has a
full access to all objects. So he has to remove access permissions
from the group and it will make a lot of problems. I think it could be
more realistic solution for this simple job. Could you please give me
some input how to create a new user with a read only access?
Regards,
Serguei. |
|
|
| Back to top |
|
|
|
| ThanksButNo... |
| Posted: Tue Jun 09, 2009 10:06 pm |
|
|
|
Guest
|
On Jun 9, 11:21 am, Serguei.Goumeni... at (no spam) cibc.ca wrote:
Quote: Dear Experts,
I need a new user to be created with a read only access to some tables
and no access to all other objects. My DBA told me it is impossible in
Sybase because all new users belong to the "public" group which has a
full access to all objects. So he has to remove access permissions
from the group and it will make a lot of problems. I think it could be
more realistic solution for this simple job. Could you please give me
some input how to create a new user with a read only access?
With all due respect, your DBA doesn't know what he's talking
about. Just REVOKE the INSERT and UPDATE permissions on those
tables from that user.
REVOKE INSERT,UPDATE ON {table} FROM {user}
GO
I just tried that with Sybase 12.5.1 and 15.0.2 and it works fine.
Now, if you come back later and GRANT ALL to PUBLIC again, it
will override all your REVOKEs. But, like the old Henny Youngman
joke -- "Doctor, it hurts when I do this," and the doctor said,
"Don't do that."
:-) |
|
|
| Back to top |
|
|
|
| ThanksButNo... |
| Posted: Tue Jun 09, 2009 10:27 pm |
|
|
|
Guest
|
On Jun 9, 3:06 pm, ThanksButNo <no.no.tha... at (no spam) gmail.com> wrote:
Quote: On Jun 9, 11:21 am, Serguei.Goumeni... at (no spam) cibc.ca wrote:
Dear Experts,
I need a new user to be created with a read only access to some tables
and no access to all other objects. My DBA told me it is impossible in
Sybase because all new users belong to the "public" group which has a
full access to all objects. So he has to remove access permissions
from the group and it will make a lot of problems. I think it could be
more realistic solution for this simple job. Could you please give me
some input how to create a new user with a read only access?
With all due respect, your DBA doesn't know what he's talking
about. Just REVOKE the INSERT and UPDATE permissions on those
tables from that user.
REVOKE INSERT,UPDATE ON {table} FROM {user}
GO
Probably DELETE too.
\:-\ |
|
|
| Back to top |
|
|
|
| Carl Kayser... |
| Posted: Tue Jun 09, 2009 10:51 pm |
|
|
|
Guest
|
<Serguei.Goumeniouk at (no spam) cibc.ca> wrote in message
news:e5f40818-1069-4460-8fcc-532d99afba94 at (no spam) n21g2000vba.googlegroups.com...
Quote: Dear Experts,
I need a new user to be created with a read only access to some tables
and no access to all other objects. My DBA told me it is impossible in
Sybase because all new users belong to the "public" group which has a
full access to all objects. So he has to remove access permissions
from the group and it will make a lot of problems. I think it could be
more realistic solution for this simple job. Could you please give me
some input how to create a new user with a read only access?
Regards,
Serguei.
Offhand it seems to me that your DBA is providing nonsense - but it also
depends upon how he sets up security initially. Apparently the "security"
is rather non-existent since "public" (i.e., every user) has full access.
The general technique is to let "public" have either no privileges or "bare
bones" privileges. Grants are then given to groups or roles. The former is
restricted because a user can belong to only one non-public group. With the
latter a login (note the distinction) can have many role permissions and
role hierarchies can exist. Continuing with the latter a login is granted
roles at the server level and permissions are granted to roles at the
database level. If a login is a user in a database then he has all the
permissions that are granted to any role that he has. If a login is not a
user in a database .... well, then he can't do anything anyway ... unless
there is a guest account.
I'll stop here other than one should plan ahead and, in my opinion, not
mix-and-match groups and roles. Chapter 17 and parts of chapter 14 should
be useful at
http://infocenter.sybase.com/help/topic/com.sybase.help.ase_15.0.sag1/sag1.pdf |
|
|
| Back to top |
|
|
|
|
|
All times are GMT
The time now is Thu Dec 10, 2009 3:27 pm
|
|