Post on 14-Apr-2018
transcript
7/29/2019 B405 Rights
1/24
Module 5: Access Rights
After completing this module, you will be able to:
Use the DBC.AllRights, DBC.UserRights and
DBC.UserGrantedRights views to obtain information about
current users.
Use views and macros to access information about
privileges.
Use the GRANT and REVOKE statements to assign and
remove access rights.
Understand the impact of the GIVE statement with access
rights.
7/29/2019 B405 Rights
2/24
Privileges/Access Rights
A privilege (or access right) is the right of a specific user to perform a
specified operation.
Note: Some access rights don't directly correspond to an SQL statement.
CREATE DROP INDEX
REFERENCES
EXECUTE
SELECT UPDATEINSERT DELETE
CHECKPOINTDUMP RESTORE
EXECUTE PROCEDURE
On a specified Object
DATABASE USER
TABLE VIEW MACRO TRIGGER STORED
PROCEDURE
COLUMN COLUMN
User-Defined
FUNCTION
7/29/2019 B405 Rights
3/24
Access Rights Mechanisms
Implicit Right
(Ownership)
Automatic(Default)
Explicit
CREATE
DROP
GRANT
REVOKE
DBC.AccessRights
DBC.Owners
DBC.AllRights
DBC.UserRights
DBC.UserGrantedRights
Views:
7/29/2019 B405 Rights
4/24
CREATE TABLE Automatic Rights
EXPLAIN CREATE TABLE TFACT.Customer
(Customer_Number INTEGER, Last_Name CHAR(30),
First_Name CHAR(20), Social_Security INTEGER)
UNIQUE PRIMARY INDEX ( Customer_Number )
UNIQUE INDEX ( Social_Security) ;1) First, we lock TFACT.Customer for exclusive use.
2) Next, we lock a distinct DBC."pseudo table" for write on a RowHash for deadlock prevention, we lock a distinct
DBC."pseudo table" for write on a RowHash for deadlock prevention, we lock a distinct DBC."pseudo table" for write
on a RowHash for deadlock prevention, and we lock a distinct DBC."pseudo table" for read on a RowHash
for deadlock prevention.3) We lock DBC.AccessRights for write on a RowHash, we lock DBC.TVFields for write on a RowHash, we lock DBC.TVM
for write on a RowHash, we lock DBC.DBase for read on a RowHash, and we lock DBC.Indexes for write on a
RowHash.
4) We execute the following steps in parallel.
1) We do a single-AMP ABORT test from DBC.DBase by way of the unique primary index.
2) We do a single-AMP ABORT test from DBC.TVM by way of the unique primary index with no residual conditions.
3) We do an INSERT into DBC.TVFields (no lock required).
4) We do an INSERT into DBC.TVFields (no lock required).
5) We do an INSERT into DBC.TVFields (no lock required).
6) We do an INSERT into DBC.TVFields (no lock required).
7) We do an INSERT into DBC.Indexes (no lock required).
8) We do an INSERT into DBC.Indexes (no lock required).
9) We do an INSERT into DBC.TVM (no lock required).
10) We INSERT default rights to DBC.AccessRights for TFACT.Customer.
5) We create the table header.
6) We create the index subtable on TFACT.Customer.
7) We modify the table header TFACT.Customer.8) Finally, we send out an END TRANSACTION step to all AMPs involved in processing the request.
-> No rows are returned to the user as the result of statement 1.
7/29/2019 B405 Rights
5/24
CREATE USER Automatic Rights
By issuing a CREATE USER statement, the CREATOR causes Automatic rights to be
generated for both the created user and the creator.
SYSDBA
Accounting
SYSDBA creates a new user named
Accounting.
Both SYSDBA and Accounting are given the following rights over Accounting:
SYSDBA is given the following additional rights over Accounting:
CREATE Database DROP Database CREATE User DROP User
CREATE Table DROP Table CREATE View DROP View
CREATE Macro DROP Macro CREATE Trigger DROP Trigger
SELECT INSERT UPDATE DELETE
EXECUTE DROP Procedure DROP Function DUMP
CHECKPOINTRESTORE
7/29/2019 B405 Rights
6/24
Implicit, Automatic, and Explicit Rights
Human_Resources Accounting
DBC
SYSDBA
Personnel
GRANT DATABASE ON
Human_Resources TO Accounting ;
CREATE USER Personnel
FROM Human_Resources
AS PASSWORD = securepwd,
PERM = 10e6 ;CREATOR
Owners
How many automatic access rights are created for Personnel?
How many automatic access rights are created for Human_Resources?
How many automatic access rights are created for Accounting?
7/29/2019 B405 Rights
7/24
GRANT Command(SQL Form)
TO
ALL
username
PUBLIC
A
,
WITH GRANT OPTION ;
25
role_name
,
GRANT ALL
pr iv i lege
,
ALL BUT
PRIVILEGES
dbname
dbname.objname
objname
AON
,
pr iv i lege
PROCEDURE identif ier
To GRANT a privilege, the grantor must: Have the privilege granted, and hold GRANT authority on the privilege
or
Be the owner of the object.
The GRANT option confers on the recipient Grant Authority. The recipient (or
Grantee), holding this authority, then may grant the access right to otherusers or databases.
7/29/2019 B405 Rights
8/24
Granting Rights at Database Level
SYSDBA
HR_VM
View_1View_2
:
Macro_1
Macro_2
Human_Resources
HR_Tab
Table_1Table_2
Table_3
Table_4
Payroll_VM
View_5View_6
:
Macro_3
Macro_4
Payroll
Payroll_Tab
Table_5Table_6
Table_7
Table_8
HR_Users
HR_02
HR_04
HR_01
HR_03
PY_Users
PY_02
PY_04
PY_01
PY_03
GRANT SELECT ON HR_Tab TO HR_VM WITH GRANT OPTION;
GRANT SELECT, EXECUTE ON HR_VM TO ALL HR_Users;
GRANT SELECT ON Payroll_Tab TO Payroll_VM WITH GRANT OPTION;
GRANT SELECT, EXECUTE ON Payroll_VM TO ALL PY_Users;
The ALL option grants the SELECT and EXECUTE privileges to HR_Usersand all of its current and future descendants on the database HR_VM.
7/29/2019 B405 Rights
9/24
GRANT Rights at the Table or Column Level
To UPDATE a table or columns of a table:
GRANT UPDATE ON Employee TO tfact01;
GRANT UPDATE (salary_amount) ON Employee TO tfact01;
GRANT UPDATE (ALL BUT salary_amount) ON Employee TO tfact01;
To CREATE or ALTER a table with foreign key references:
GRANT REFERENCES ON Employee TO tfact01;
GRANT REFERENCES (employee_number) ON Employee TO tfact01;
GRANT REFERENCES (ALL BUT employee_number) ON Employee TO tfact01;
The INDEX privilege is granted at the table level to allow a user to CREATE or
DROP indexes on a table:
GRANT INDEX ON Employee TO tfact01;
7/29/2019 B405 Rights
10/24
REVOKE Command(SQL Form)
dbname
dbname.objname
objname
ON
PROCEDURE identif ier
TO
ALL
username
PUBLIC
,
;
25
role_name
,
FROM
A
REVOKE ALL
,PRIVILEGES
A
pr iv i lege
WITH GRANT OPTION
ALL BUT pr iv i lege
,
To REVOKE a privilege, you must:
Be the owner of the object.
or
Hold the privilege that you are revoking and have GRANT authority.
7/29/2019 B405 Rights
11/24
Revoking Non-Existent Rights
GRANT SELECT ON Payroll_VM TO ALL PY_Users;Grant Accepted.
REVOKE SELECT ON Payroll_VM.View_6 FROM ALL PY_Users;
Revoke Accepted.
REVOKE is passive. It does not add rows to DBC.AccessRights,but removes rows if they exist.
HR_VM
View_1View_2
:
Macro_1
Macro_2
HR_Tab
Table_1Table_2
Table_3
Table_4
Payroll_VM
View_5View_6
:
Macro_3
Macro_4
Payroll_Tab
Table_5Table_6
Table_7
Table_8
HR_Users
HR_02
HR_04
HR_01
HR_03
PY_Users
PY_02
PY_04
PY_01
PY_03
SYSDBA
Human_Resources Payroll
7/29/2019 B405 Rights
12/24
Removing a Level in the Hierarchy
LOGON with the required
privileges, and
1) GIVE C TO A ;
2) DELETE USER B ;
3) DROP USER B ;
AB
CD
A
D
CB
A
CD
Although B no longer exists as a user, the privileges granted or caused to be
granted are not automatically revoked.
7/29/2019 B405 Rights
13/24
Inheriting Access Rights
GRANT SELECT ON Payroll_Tab TO Payroll_VM WITH GRANT OPTION;
GRANT SELECT, EXECUTE ON Payroll_VM TO ALL PY_Users;
CREATE USER Ann FROM PY_Users AS PERM = 0, PASSWORD = temp ;
Ann inherits the SELECT and EXECUTE access rights for the database Payroll_VM.
HR_VM
View_1View_2
:
Macro_1
Macro_2
HR_Tab
Table_1Table_2
Table_3
Table_4
Payroll_VM
View_5View_6
:
Macro_3
Macro_4
Payroll_Tab
Table_5Table_6
Table_7
Table_8
HR_Users
Jan
Bob
Ted
PY_Users
Kay
Joe
Ron
SYSDBA
Human_Resources Payroll
Ann
7/29/2019 B405 Rights
14/24
The GIVE Statement and Access Rights
.LOGON sysdba, password;
GIVE Ann TO HR_users ;
HR_VM
View_1View_2
:
Macro_1
Macro_2
HR_Tab
Table_1Table_2
Table_3
Table_4
Payroll_VM
View_5View_6
:
Macro_3
Macro_4
Payroll_Tab
Table_5Table_6
Table_7
Table_8
HR_Users
Jan
Bob
Ted
PY_Users
Kay
Joe
Ron
SYSDBA
Human_Resources Payroll
AnnAnn
The GIVE command transfers
ownership, but does not
change any access rights.
NOT
Recommended
.LOGON sysdba, password;
DROP USER Ann ;CREATE USER Ann FROM HR_Users ;
Recommended
GIVE
The DROP will cause Anns
access rights to be removed for
Payroll_VM. The CREATE will
allow Ann to inherit accessrights for HR_VM.
7/29/2019 B405 Rights
15/24
Access Rights and Views
View names are fully expanded (resolved) at creation time.
The system checks access rights at creation time, and validates them again atexecution time.
GRANT SELECTON Table1 TO User2 ;
GRANT SELECTON Table1 TO User2WITH GRANT OPTION;
CREATE VIEW View1AS SELECT FROM User1.Table1;
Success
SELECT * FROM View1;Success
GRANT SELECTON View1 TO User3;
Fails - Error 3523
GRANT SELECTON View1 TO User3;
Success
SELECT * FROM User1.Table1;Fails - Error 3523
SELECT * FROM User2.View1;Fails - Error 3523
User does not have the SELECTaccess right on Table1 or View1.
SELECT * FROM User2.View1;Success
SELECT * FROM User1.Table1;Fails - Error 3523
Table1
User1
View1
User2 User3
3523 An ow ner referenced by the user does not have[ Access rig ht ] access to [ Database.Oject ].
7/29/2019 B405 Rights
16/24
Access Rights and Nested Views
Views that reference other views are sometimes called nested views. Views may be nested up to 10
levels with Release V2R3 and 64 levels with Release V2R4 and V2R5.
The system checks access rights at creation time, and validates them again at execution time.
GRANT SELECTON Table1 TO User2WITH GRANT OPTION;
REVOKE GRANT OPTIONFOR SELECTON Table1 FROM User2;
User2 can select fromTable1 and can createand use views thataccess Table1.
GRANT SELECTON View1 TO User3;
Success
SELECT * FROM View1;Success
User3 is given SELECT accesson View1 and can create View 2.User3 can access Table1 viaView1 or View2.
SELECT * FROM View2;Fails - Error 3523
SELECT * FROM User2.View1;Fails - Error 3523
3523 A n own er referenced by the user does not have[ Access rig ht ] access to [ Database.Oject ].
If you REVOKE access rights from any user in the chain, the
system issues the following message:
Table1
User1
View1
User2 User3
View2
7/29/2019 B405 Rights
17/24
System Views for Access Rights
View Description
DBC.AllRights Provides information about all rights that have been
automatically or explicitly granted.
DBC.UserRights Provides information about all rights the user has
acquired, either automatically or explicitly.
DBC.UserGrantedRights Provides information about rights which the current
user explicitly has granted to other users.
7/29/2019 B405 Rights
18/24
AllRights and UserRights Views
Provides information about the objects on which all users (DBC.AllRights), or the current
user (DBC.UserRights), have automatically or explicitly been granted privileges.
SELECT DatabaseName (FORMAT 'X(16)')
,AccessRight
,GrantorName (FORMAT 'X(16)')
FROM DBC.UserRights
WHERE Tablename = 'ALL'
ORDER BY 1, 2;
Example Results:
Example:
All rights held by the user
at the database level (for
user tfact07).
DBC.AllRights
UserName DatabaseName
TableName ColumnName
AccessRight GrantAuthority
GrantorName AllnessFlag
CreatorName CreateTimeStamp
DatabaseName AccessRight GrantorName
AU R DBC
PD D SYSDBA
PD I SYSDBA
PD R SYSDBA
PD U SYSDBAtfact07 CG SYSDBA
DBC.UserRights
DatabaseName TableName
ColumnName AccessRight
GrantAuthority GrantorNameCreatorName CreateTimeStamp
7/29/2019 B405 Rights
19/24
DBC.UserGrantedRights View
Provides information about objects on which the current user has explicitly
granted privileges to other users.
SELECT DatabaseName (FORMAT 'X(12)')
,TableName (FORMAT 'X(15)')
,Grantee (FORMAT 'X(10)')
,AccessRight
,AllnessFlag
FROM DBC.UserGrantedRights
ORDER BY 1, 2, 3, 4;Example Results:
Example:
List the rights explicitly
granted by the current
user.
DBC.UserGrantedRights
DatabaseName TableName ColumnName Grantee
AccessRight GrantAuthority AllnessFlag CreatorName
CreateTimeStamp
DatabaseName TableName Grantee AccessRight AllnessFlag
AU All tfact07 R N
DS Daily_Sales tfact03 R N
DS Daily_Sales tfact03 RF N
DS Order_Item_JI tfact03 IX NPD All Students R Y
7/29/2019 B405 Rights
20/24
Teradata Administrator
GRANT/REVOKE Rights
Select the object name and
object type.
Select who is going to get
the right.
Select the rights.
Teradata Administrator can be used to easily grant or revoke access rights.
Tools Grant/Revoke Object Rights
7/29/2019 B405 Rights
21/24
Teradata Administrator
Rights on DB/User
Right-click on the
database AU and
select the option.
In this example,
Rights on DB/User
was selected.
Teradata Administrator can also be used to easily view existing access rights
7/29/2019 B405 Rights
22/24
Access Rights Summary
Access Rights (Privileges) are maintained in the data dictionary.
Rows are inserted into or removed from DBC.AccessRights by:
CREATE or DROP statements
GRANT or REVOKE statements
Creators are given automatic rights on created objects.
Users and databases are given all rights on themselves except:
CREATE Database/User
DROP Database/User
Owners have the right to grant privileges on their owned objects.
The GIVE command affects ownership, but not information in the
DBC.AccessRights table.
7/29/2019 B405 Rights
23/24
Review Questions
1. True or False There are only two types of access rights or privileges: explicit and implicit.
2. True or False The primary statements you use to manage access rights are GRANT, REVOKE,
and GIVE.
3. The _______ option on the GRANT command grants privileges to a database or user and all of its
current and future descendants.
4. The ________________ and ______________ access rights can be granted at the column level.
5. The ____________ user is used to grant an access right to every user in the system.
6. Given the following: Ann owns Table_A, Bob creates View_TabA and grants SELECT on View_TabA
to Paul.
What access right does Ann give Bob on Table_A so Paul can use View_TabA to access Table_A?
_________________________
Table_A
Ann
View_TabA
Bob Paul
SELECT?
7/29/2019 B405 Rights
24/24
1. True orFalse There are only two types of access rights or privileges: explicit and implicit.
2. True orFalse The primary statements you use to manage access rights are GRANT, REVOKE,
and GIVE.
3. The ALL option on the GRANT command grants privileges to a database or user and all of its current
and future descendants.
4. The UPDATEand REFERENCESaccess rights can be granted at the column level.
5. The PUBLICuser is used to grant an access right to every user in the system.
6. Given the following: Ann owns Table_A, Bob creates View_TabA and grants SELECT on View_TabA
to Paul.
What access right does Ann give Bob on Table_A so Paul can use View_TabA to access Table_A?
SELECT WITH GRANT OPTION
Table_A
Ann
View_TabA
Bob Paul
SELECT?
Module 5: Review Question Answers