Suppose I have got 2 RLS roles: Manager, User. Each role has the respective filters applied on the User table.
If there is a user who is assigned view permission to a report, and that user doesn't belong to any RLS role, then technically since no filters apply will the user be able to see entire unfiltered data?
Related
I am looking for advice on a not so particular situation.
I currently have roughly 20000 stores.
All stores have admins, managers and user roles.
An admin can create/manage any roles
A manager can create/manage only user role
A user can login and access custom functionality.
Any persona can be assigned to 1 or multiple store and can have 1 or multiple roles for that particular store.
Ie:
StoreA has userA as Admin and userB as Manager
StoreB has userA as User and userB as Admin
At first, I converted my stores to be groups. But since roles are binded to the group, I would have still have 3 roles for each group (20000 groups and 60000 roles - Group StoreA, Roles: StoreA_Admin, StoreA_Manager, StoreA_User, etc...). Not sure if it is the right decision, And I am not sure about the performance.
Then, I kept the stores as groups, but instead of creating roles, I created custom multivalued attributes that saves the group uid. That worked in carbon, as well as the API, but the console doesn't like the multivalued fields. And if another role is introduced, I would have to create another field.
Any thought on how to approach this situation ?
We can map your story to IS groups and roles as follows.
Please note that groups and roles are treated as two separate resources since IS-5.11.0.
Refer to:
https://is.docs.wso2.com/en/5.11.0/setup/migrating-what-has-changed/#group-and-role-separation
https://medium.com/p/93d42fe2f135
That separation is not clearly visible in the management console. So you can use the console application to create groups and roles.
Group used to represent a collection of users in the user store. One user can belong to zero or more groups.
Role is a collection of permissions. A role can have zero or more permissions.
We can assign a role either to a group/ a user.
Due to this statement:
A user can log in and access custom functionality.
We don't need to assign any role to normal business users specifically.No specific role is required to login into the business application via identity server basic authentication. In case your business application has a role-based access control need to assign a role to business users as well. Otherwise, every user will get login permissions upon successful authentication, it should be enough to do business operations in the application.
In your case, if any store's admin has the same set of permissions and any manager has the same set of permissions, you can't just evaluate the permissions and authorize the requests.
For eg: If user B is the manager of store A and admin of store B, he has inherited both admin and manager roles related permissions. But user B performs a request on store B, you have to authorize the request based on only the roles related to store B.
We’ve been having an issue when giving permissions to groups in redshift.
The main problem is that when we give access to certain schemas and then after an user adds a new table to the schemas, the group has no access to the new table (due to permissions error).
We tried to give the following permissions:
GRANT USAGE ON SCHEMA <schema> TO GROUP <group>;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO GROUP <group>;
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema> GRANT SELECT ON TABLES to group <group>;
And that solution didn’t work as expected.
A temporary solution we made is making a super user to allow our developers to work, which is what we want to avoid and is not a good practice.
Thanks!
To set the privileges that will be created for new tables you have to update the default privileges. See: https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_DEFAULT_PRIVILEGES.html
The default privileges "Defines the default set of access privileges to be applied to objects that are created in the future by the specified user. By default, users can change only their own default access privileges. Only a superuser can specify default privileges for other users." Grant only works on existing tables / objects.
Hope this helps you out.
I am puzzled about the Role Manager in Visual Studio when working with SSAS tabular cubes:
Is my understanding correct?
When a user logs to the cube, the “security” will check each role and see if the user is in that role… if the user is in the role; it gives the said access.
If the user is in multiple roles, it will give some sort UNION between all of them, so the user can see as much as possible , correct?
Is this documented anywhere?
Ps: is there also documentation in cases where you force less access (like having a ‘users’ table and putting that filter in a .pbix only on a specific page?
From https://learn.microsoft.com/en-us/analysis-services/tabular-models/roles-ssas-tabular?view=asallproducts-allversions#permissions
"A group or user can be a member of any number of roles, each role with a different permission. When a user is a member of multiple roles, the permissions defined for each role are cumulative. For example, if a user is a member of a role with the Read permission, and also a member of a role with None permission, that user will have Read permissions."
One important result of this in SSAS, is that Server Admins can read everything always.
Also don't confuse access from filters. Access of "None" means I cannot ever access the data. Access of "Read" plus a page filter will not prevent me from accessing the data from Q+A or Analyze in Excel. Use filters in roles for security. A security table used in a filter in a role will prevent access. If the filter is just on the visual or page, the data is not secure, just not shown.
Problem: I have a project in BigQuery where all my data is stored. Within this project I created multiple datasets containing different views. Now I want to use different service accounts to query the different datasets containing different views via grafana (if that matters). These users should only be able to query the views (and therefore a specific dataset) meant for them.
What I tried: I granted BigQuery User, Viewer or Editor permissions (I tried all of them) at a dataset level (and also BigQuery Meatadata Viewer at a project level). When I query a view, I receive the error:
User does not have bigquery.jobs.create permission in project xy.
Questions: It is not clear to me if granting bigquery.jobs.create permission on project level, will allow the user to query all datasets instead of only the one I want him to access to.
Is there any way to allow the user to create jobs only on a single dataset?
Update October 2021
I've just seen that this question did go unanswered for me back then but still gets a lot of views. I believe the possibilities changed a bit since I asked the question so here is how I'm handling it now:
I give the respective service account the role roles/bigquery.jobUser on project level. This allows it to create jobs in general, however since I don't give any other permissions yet it cannot query data yet.
Then I give the role roles/bigquery.dataViewer on the dataset level. That makes it possible for the service account to query only the dataset I granted the permission on.
It is also possible to grant roles/bigquery.dataViewer on table level, what will restrict access to only the specific table.
In case you want the service account not only to query (view) the data, but also to insert or change it for example, replace roles/bigquery.dataViewer with the role having the necessary permissions (or assign that role in addition).
How to grant the permissions:
On dataset level
On table or view level
We had a same problem, how we solved was, created a custom role and assigned the custom role to the particular dataset.
You can grant bigquery.user role to a specific dataset as indicated in this guide. The bigquery.user role contains the bigquery.jobs.create permission as well as other basic permissions related to querying datasets. You can check the full list of permissions for this role in this list.
As suggested above, you can also create custom roles having only the exact permissions you want by following this piece of documentation.
I have an Amazon Redshift cluster with four schemas (Schema1, Schema2, Schema3 and Schema 4).
I created a user User1 in this cluster. I want this user to have only read-only access to all the tables in Schema1. Currently, this user has access(Select, Insert, Update, Delete) to all the tables from all the schemas.
I tried all the commands from the Redshift manual, but looks like nothing is working.
Example:
REVOKE ALL on schema schema1 from User1
REVOKE ALL on schema schema2 from User1
REVOKE ALL on schema schema3 from User1
REVOKE ALL on schema schema4 from User1
I also tried to revoke individual permissions (Insert, Update, Delete).
I also tried to revoke permissions (Insert, Update, Delete) from individual table
Tried all the combinations from the manual. I am using SQL Workbench and all the statements were successfully executed without any syntax error.
Not able to figure it. Any help is appreciated.
P.S. I have 15 years of database experience working on roles and permissions.
In my case the issue I had was that I had 3 users belonging to the same group.
The group had been granted ALL privileges to all the tables of the schema.
Therefore revoking the permissions for a single user did not work since group permissions supersede user permissions.
TL;DR
The solution in my case was to create a group for each user and revoke access to the schema for the other groups.
REVOKE ALL ON SCHEMA my_schema FROM group my_group;
These commands seem to work:
CREATE SCHEMA schema1;
CREATE TABLE schema1.foo (name TEXT);
CREATE USER user1 PASSWORD 'Abcd1234';
GRANT USAGE ON SCHEMA schema1 TO user1;
GRANT SELECT ON ALL TABLES IN SCHEMA schema1 TO user1;
However, it might not automatically grant access on tables created in future.
Since Amazon Redshift is based on PostgreSQL 8.0.2, see: How do you create a read-only user in PostgreSQL?
This might not be what caused the issue of the OP, but it solved the issue for me, and could solve it for people who encounter the same situation and end up on this thread.
In addition to George V's answer, note that there is in Redshift a PUBLIC group, that grants permissions to every user.
PUBLIC represents a group that always includes all users. An individual user's privileges consist of the sum of privileges granted to PUBLIC, privileges granted to any groups that the user belongs to, and any privileges granted to the user individually.
(from the doc on GRANT)
So if you want to make sure that User1 doesn't have access to tables in schema2 for example, you should run:
REVOKE ALL on schema schema2 from User1;
REVOKE ALL on schema schema2 from Group1; --assuming this is the only group of User1
REVOKE ALL on schema schema2 from PUBLIC;