We’ve been having an issue when giving permissions to groups in redshift.
The main problem is that when we give access to certain schemas and then after an user adds a new table to the schemas, the group has no access to the new table (due to permissions error).
We tried to give the following permissions:
GRANT USAGE ON SCHEMA <schema> TO GROUP <group>;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO GROUP <group>;
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema> GRANT SELECT ON TABLES to group <group>;
And that solution didn’t work as expected.
A temporary solution we made is making a super user to allow our developers to work, which is what we want to avoid and is not a good practice.
Thanks!
To set the privileges that will be created for new tables you have to update the default privileges. See: https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_DEFAULT_PRIVILEGES.html
The default privileges "Defines the default set of access privileges to be applied to objects that are created in the future by the specified user. By default, users can change only their own default access privileges. Only a superuser can specify default privileges for other users." Grant only works on existing tables / objects.
Hope this helps you out.
Related
There are some users in the Redshift data warehouse who have read and edit permissions. What query should I run to remove their edit permissions so that they can only do select queries?
The SQL command you are looking for is REVOKE - https://docs.aws.amazon.com/redshift/latest/dg/r_REVOKE.html
Now to get the exact command(s) you want to run a few more pieces of information will be needed. But first a quick overview of Redshift permissions. In many database like Redshift users don't (in general) have permissions, the objects have access information about which users/groups can perform which actions. So there is no 'make this user be read-only always' command. REVOKE can act on databases, schemas, tables, and views but these actions only apply to currently existing objects. Objects created in the future will have the access rights assigned by the creating users default ACL.
Now to the questions - are all these users part of a group and the only members of this group? If so you will likely want to apply the REVOKE to the group. Is this restriction for existing tables or do you want them to not be able to create new table (even temp table) in all schemas and database? This will impact what object types you want to revoke rights. Have you or your DBAs changed the default ACLs on the database? These may need to be updated to prevent write accesses being given on future objects in the database.
I am puzzled about the Role Manager in Visual Studio when working with SSAS tabular cubes:
Is my understanding correct?
When a user logs to the cube, the “security” will check each role and see if the user is in that role… if the user is in the role; it gives the said access.
If the user is in multiple roles, it will give some sort UNION between all of them, so the user can see as much as possible , correct?
Is this documented anywhere?
Ps: is there also documentation in cases where you force less access (like having a ‘users’ table and putting that filter in a .pbix only on a specific page?
From https://learn.microsoft.com/en-us/analysis-services/tabular-models/roles-ssas-tabular?view=asallproducts-allversions#permissions
"A group or user can be a member of any number of roles, each role with a different permission. When a user is a member of multiple roles, the permissions defined for each role are cumulative. For example, if a user is a member of a role with the Read permission, and also a member of a role with None permission, that user will have Read permissions."
One important result of this in SSAS, is that Server Admins can read everything always.
Also don't confuse access from filters. Access of "None" means I cannot ever access the data. Access of "Read" plus a page filter will not prevent me from accessing the data from Q+A or Analyze in Excel. Use filters in roles for security. A security table used in a filter in a role will prevent access. If the filter is just on the visual or page, the data is not secure, just not shown.
Problem: I have a project in BigQuery where all my data is stored. Within this project I created multiple datasets containing different views. Now I want to use different service accounts to query the different datasets containing different views via grafana (if that matters). These users should only be able to query the views (and therefore a specific dataset) meant for them.
What I tried: I granted BigQuery User, Viewer or Editor permissions (I tried all of them) at a dataset level (and also BigQuery Meatadata Viewer at a project level). When I query a view, I receive the error:
User does not have bigquery.jobs.create permission in project xy.
Questions: It is not clear to me if granting bigquery.jobs.create permission on project level, will allow the user to query all datasets instead of only the one I want him to access to.
Is there any way to allow the user to create jobs only on a single dataset?
Update October 2021
I've just seen that this question did go unanswered for me back then but still gets a lot of views. I believe the possibilities changed a bit since I asked the question so here is how I'm handling it now:
I give the respective service account the role roles/bigquery.jobUser on project level. This allows it to create jobs in general, however since I don't give any other permissions yet it cannot query data yet.
Then I give the role roles/bigquery.dataViewer on the dataset level. That makes it possible for the service account to query only the dataset I granted the permission on.
It is also possible to grant roles/bigquery.dataViewer on table level, what will restrict access to only the specific table.
In case you want the service account not only to query (view) the data, but also to insert or change it for example, replace roles/bigquery.dataViewer with the role having the necessary permissions (or assign that role in addition).
How to grant the permissions:
On dataset level
On table or view level
We had a same problem, how we solved was, created a custom role and assigned the custom role to the particular dataset.
You can grant bigquery.user role to a specific dataset as indicated in this guide. The bigquery.user role contains the bigquery.jobs.create permission as well as other basic permissions related to querying datasets. You can check the full list of permissions for this role in this list.
As suggested above, you can also create custom roles having only the exact permissions you want by following this piece of documentation.
I have an Amazon Redshift cluster with four schemas (Schema1, Schema2, Schema3 and Schema 4).
I created a user User1 in this cluster. I want this user to have only read-only access to all the tables in Schema1. Currently, this user has access(Select, Insert, Update, Delete) to all the tables from all the schemas.
I tried all the commands from the Redshift manual, but looks like nothing is working.
Example:
REVOKE ALL on schema schema1 from User1
REVOKE ALL on schema schema2 from User1
REVOKE ALL on schema schema3 from User1
REVOKE ALL on schema schema4 from User1
I also tried to revoke individual permissions (Insert, Update, Delete).
I also tried to revoke permissions (Insert, Update, Delete) from individual table
Tried all the combinations from the manual. I am using SQL Workbench and all the statements were successfully executed without any syntax error.
Not able to figure it. Any help is appreciated.
P.S. I have 15 years of database experience working on roles and permissions.
In my case the issue I had was that I had 3 users belonging to the same group.
The group had been granted ALL privileges to all the tables of the schema.
Therefore revoking the permissions for a single user did not work since group permissions supersede user permissions.
TL;DR
The solution in my case was to create a group for each user and revoke access to the schema for the other groups.
REVOKE ALL ON SCHEMA my_schema FROM group my_group;
These commands seem to work:
CREATE SCHEMA schema1;
CREATE TABLE schema1.foo (name TEXT);
CREATE USER user1 PASSWORD 'Abcd1234';
GRANT USAGE ON SCHEMA schema1 TO user1;
GRANT SELECT ON ALL TABLES IN SCHEMA schema1 TO user1;
However, it might not automatically grant access on tables created in future.
Since Amazon Redshift is based on PostgreSQL 8.0.2, see: How do you create a read-only user in PostgreSQL?
This might not be what caused the issue of the OP, but it solved the issue for me, and could solve it for people who encounter the same situation and end up on this thread.
In addition to George V's answer, note that there is in Redshift a PUBLIC group, that grants permissions to every user.
PUBLIC represents a group that always includes all users. An individual user's privileges consist of the sum of privileges granted to PUBLIC, privileges granted to any groups that the user belongs to, and any privileges granted to the user individually.
(from the doc on GRANT)
So if you want to make sure that User1 doesn't have access to tables in schema2 for example, you should run:
REVOKE ALL on schema schema2 from User1;
REVOKE ALL on schema schema2 from Group1; --assuming this is the only group of User1
REVOKE ALL on schema schema2 from PUBLIC;
I have a user in Amazon Redshift. I want that user to be able to do read-only queries against the system tables:
http://docs.aws.amazon.com/redshift/latest/dg/cm_chap_system-tables.html
But I don't know how to grant a user who is not a superuser access to these tables as it does not appear to be documented anywhere on amazon.
Obviously you don't want to grant superuser to another user just so they can see system logs. Being able to monitor is a very common use case that shouldn't require giving someone carte blanche access.
Thankfully you have the ability to grant access to system tables using the syslog access option.
alter user user123 syslog access unrestricted
See Redshift documentation on visibility
If you are a Superuser, you can make other user as superuser or create a new superuser and then other user can query system table and views. Use createuser privilege. Below is the sample query
create user user_super createuser password '1234';
alter user user_super createuser;
Be careful while making any superuser, superuser gets all access including grant and revoke and query run from superuser always goes to query-1 and will make other queries wait until finished.