I have a database that is used to store data for various applications. I want to grant users permissions to select data from these tables, however there is one table that has sensitive information that only one specific 'special' user should have access to.
How do i grant permissions to all tables EXCEPT that one table. If i grant all, then revoke on that table, it won't work as it says that there is no permission on that table.
I thought about writing a query that could do this, but what happens when tables are added to the database? I would have to go and add that permission to each of the users, which could get quite time consuming. Is there any way to do this easily in MySQL? Perhaps a trigger that on table creation grants permissions? Is that possible?
Put that table in a separate database. Then you can grant access to regulardb.* to all the normal users, and grant access to sensitivedb.specialtable only to the special username.
Related
I am beginner in mysql management, so I need help in writing query for listing specific database tables that a user has access.
This is a strange wish...
Normally users should not be interested in tables. Tables are a technical aspect of the data model, something that should not be visible to the user. The user is interested in storing and retrieving data. But he usually is and should not be aware of how that data is stored.
Anyways: there is no such function AFAIK. you will have to create some hack yourself. You can query the list of tables inside a database. Then you'd have to iterate over that list and test for access rights one by one.
Have a look at mysql information_schema tables.
19.14 The INFORMATION_SCHEMA TABLE_PRIVILEGES Table
The TABLE_PRIVILEGES table provides information about table
privileges. This information comes from the mysql.tables_priv grant
table.
http://dev.mysql.com/doc/refman/5.0/en/table-privileges-table.html
and
6.2.2 Privilege System Grant Tables
Normally, you manipulate the contents of the grant tables in the mysql
database indirectly by using statements such as GRANT and REVOKE to
set up accounts and control the privileges available to each one. See
Section 13.7.1, “Account Management Statements”. The discussion here
describes the underlying structure of the grant tables and how the
server uses their contents when interacting with clients.
http://dev.mysql.com/doc/refman/5.1/en/grant-table-structure.html
I have several DB's in my server, and I need to allow one user to select records from a view in one of the DB's. But I need for this user to not even see that there are other DB's nor see that there are other tables in the DB where the view belongs. Is this possible?
I had an account with a hosting company, a shared hosting account, and I could only see my DB when I accessed it through phpmyadmin. This is similar to what I need. Thank you for your help.
I've found the overview contained in this article even more helpful than the actual MySQL documentation for describing the big picture of how MySQL privileges are granted or denied.
The gist of the overview article is that privileges are controlled by a series of increasingly finer-grained permissions tables in the mysql database: mysql.user, mysql.db, mysql.host, mysql.tables_priv, mysql.columns_priv, mysql.procs_priv. The general rule is that a "Y" value for a privilege in a more fine-grained table overrules a "N" value in a more coarse-grained table. So the recommended strategy is to start by denying most privileges in the user table (which gives the coarsest control), and then make only the specific overrides that you want in the more fine-grained tables.
In particular, there is a privilege called SHOW_DATABASES which is determined by the Show_db_priv column in the mysql.user table; you'll want to set this to "N" for the user in question (and as described above, you may want to set most other permissions in the user table to "N" as well) and then grant only the privileges that the user actually needs in the mysql.db or mysql.tables_priv table or whatever would be appropriate for your particular case.
You have to add a user to a database using grant privileges.
Create new databases and simply don't add the user to it then the user won't be able to see it.
The only way the user will be able to find the database is if they try to access it and guess the database name. So basically a user/hacker would have to attempt to connect to a bunch of random database names in order to find one that says "access denied"
I'm working on some data project with a few other collaborators. Most are fairly new to SQL so have inquired if I can make the 'raw' data tables read-only so they aren't accidentally altered, how would I go about doing that? Currently all users have GRANT SELECT ON mydb.* TO 'user'#'%' permissions, but I need to be a little more open.
There's a question about making a single table read-only, but it seems like it would deny users the ability to make other tables; or if they did, they couldn't do anything with them. There doesn't seem to be (or I can't find) a 'deny' setting like in NTFS that overrides allow/GRANT; from what I read REVOKE is only the opposite of a prior GRANT, you can't "nest" them.
I was considering making a separate 'raw' database that would be SELECT-only so users could copy it into the 'workspace' database, but that seems a bit hacky and will eat up some semi-significant amount of space on my budget cloud server. What's the proper solution?
GRANT SELECT ON example.* to 'someuser'#'somehost';
Give read only privilege.
GRANT CREATE ON example TO 'someuser'#'somehost';
Give create table privilege.
You can make a single MyISAM table read only by compressing the table. Use myisampack on the command line to pack the table.
More info can be found in the MySQL Manual: http://dev.mysql.com/doc/refman/5.0/en/myisampack.html
I have a database with many many tables.
I want to block any users, except one, from accessing this table. All the users will also need to be able to access any future tables created in such database, and naturally it is not possible for me to add/remove access to those tables as some are temporary tables created just scripting purpose.
Something like:
GRANT ALL PRIV ON *.* TO user123 ...
REVOKE ALL PRIV ON mydb.table FROM user123
If some tables are temporary, why not just create them as TEMPORARY tables? Then they will only be accessible by the session which created them.
You can easily grant permissions on tables and then revoke for an individual table, but there's no way to easily maintain that going forward.
Another option is to simply put the table which needs different permissions in a separate database. Of course it managing permissions for two databases, so it could be messy, but it's somewhat closer to the goal.
There's a good reference guide to table privileges here. Think it has what you need. Other privileges are mentioned earlier in the same guide if you need those too.
Short version: How can I write an SQL procedure to list which of several tables in a MySQL database a particular user has access to?
Longer version:
I'm writing a multi-user app that accesses a database with data for several branches of a company. The database has a number of lookup tables that any user can access, and a table for each branch that only authorized users can access. My strategy is:
Write a stored procecure that returns a list of the relevant tables for which the user has SELECT privilege.
From the app, call the procedure. If there's only one table returned, use it, otherwise let the user select which branch they want to access (e.g. for managers).
I'm having trouble figuring out how to write such a stored procedure. SHOW GRANTS FOR CURRENT_USER is an obvious possibility, but parsing something like:
GRANT SELECT ON Company.BranchABC TO 'auser'#'%clientdomain.com'
in SQL to figure out what the tables are seems way too messy. Doing a SELECT from the actual tables that hold the permissions also seems problematic, because I'd have to duplicate MySQL's logic for combining the permissions from the various tables (user, db, host, etc.)
Any words of wisdom?
You can see what privileges on which tables a user has:
show grants for 'user'#'host';
For example, to see the privileges of user1 (all machines in the network 10.25), run:
show grants for 'user'#'10.25.%.%';
I have never granted per table permissions to MySQL users before, but to do this, you would check that the TABLE_PRIVILEGES table in the information_schema database.
That should point you in the right direction.
MySQL users list and its privilege can be check with the Query.
select * from mysql.user\G;
http://www.thedevheaven.com/2012/04/retrieve-mysql-users-list-and-its.html