Is there any permission or grant command on a table which make users not able to delete records (row) that inserted by another user. But allow them to delete or update their own record?
Thanks,
Stephen
No, this should be addressed by the application that runs on top of MySQL.
Not entirely sure the following's workable for your case, but I thought I might as well suggest it -- perhaps it can help. You could create for each user an updatable view (with sql security definer) that selects only those user's records, and grant the user the ability to delete on the view but not the table it selects from -- with sql security definer, the user should then be able to delete from the view causing deletion from the table. You'll also have to update the view each time the user creates a new record (otherwise the view is "frozen" at the time it was created). See the docs for create view and updatable views.
u should implement acl with a programming language. some libraries like zend do the job for u (using php language).
Related
I want to execute something like this:
UPDATE grades SET status="pass" WHERE recno=123;
However, I want the user account doing the update to have write-only access to the database which means it does not have SELECT access. This causes the WHERE clause to fail.
If necessary, I can actually re-write the entire record, but recno is the primary key, which would cause the write to fail. Is there a way to do
INSERT INTO grades (recno,name,status,...) VALUES (123, 'chemistry', 'pass',...)
ON DUPLICATE KEY UPDATE <everything>;
or is this the wrong approach? Besides, it's not the general solution to the "update a specific field in a specific record" problem.
That is a peculiar way to protect a table. It might make sense in some cases, though usually you want to provide some window of visibility so users are not blind to their effects on data.
To completely implement a write-only database, use stored procedures. The procedures can have full access to the database, and users can be granted access only to stored procedures.
Oooh! I've got it. I'll give my user SELECT privilege for just the recno column.
Leaving the question open though, just in case someone comes up with a better answer.
Create a VIEW and grant the user full access to it. This view should only contain the rows which that you want the user to be able to edit.
A different, and possibly more suitable approach, would be to completely abstract this mechanism away from the DBMS and instead create an API that you allow your users to query.
This is easily achieved by granting the correct level of access:
REVOKE ALL ON TABLE GRADES FROM USER1; -- to clear out all privileges
GRANT INSERT, UPDATE, DELETE ON TABLE GRADES TO USER1;
This will allow USER1 to insert, update and delete, but not select, from the grades table.
Change USER1 to PUBLIC or some group or whatever as you need.
Change the permissions list as you need.
Your situation is a version of a classic example in an IBM database course I used to teach:
Financial staff are allowed to give a % pay rise, but not to see what the pay level is, for employees, so
GRANT UPDATE ON TABLE EMPLOYEE TO ACCT_STAFF; -- an no other privileges
Which allows them to give a 15% pay rise by executing:
UPDATE EMPLOYEE SET PAY = PAY * 1.15 WHERE EMPLOYEE_ID = 666;
In mysql i want trigger for drop table and alter table, like in sql server we have.
FOR DROP_TABLE, ALTER_TABLE triggers
Is there any thing which i can do for it? basically i want the functionality that user should not able to delete/alter the table, we can even achieve it by providing restrictive permissions, But we have application in which the customer purchased the sql server so they have root user login and then can do it, so if we add trigger then only i think we can restrict it,
Same thing i need to drop database, In SQL server we have
FOR DROP_DATABASE , DROP_TRIGGER ,ALTER_TRIGGER
Is there any way to do it in mysql
Thanks in advance
You could use the REVOKE command to remove the ALTER and DROP permissions for the user.
https://dba.stackexchange.com/questions/27372/blocking-drop-database-command
Is there any table type that can only be accessed by a particular user?
This table can only be viewed and accessed only by the user who created it
Yes you can.
But you can create a table that has user created column so you can use it on your where condition.
I think the answer is Yes
You can set privileges for that particular table like who can access that table. Like,
SELECT, INSERT, UPDATE, DELETE, .
I have tried in via phpmyadmin.
I was wrong. Yes you can set user specific access for particular table. Its syntax is as follow
GRANT SELECT ON db2.invoice TO 'jeffrey'#'localhost';
Temporary tables are available under particular session and not accessible by any other session. It will be dropped on session close.
For more information read http://dev.mysql.com/doc/refman/5.5/en/grant.html
My use case is that I have a MYSQL table which has a change tracking table behind it. Both tables are InnoDB.
I'd like to use triggers to enforce two things.
One: forcing a copy to be made of previous state on every update (update trigger performs insert select query) This is non-trivial and I have already done it.
Two: limit access to the second table to read only for users, while triggers can still insert/update/delete as necessary
Further research on user access and triggers has dug up this:
Mysql 5.5 reference manual: 19.6 Access Control for Stored Programs and Views
Turns out that stored programs can be assigned a user to run as. Triggers are stored programs. By restricting Insert, Update, and Delete to a special user which only will be used by a trigger and using the DEFINER attribute of the trigger (or any stored program) I can make the trigger which I want to have access run under that user.
Is there a way to configure a mysql table so that writing and reading is possible but not deleting?
For example, a table that contains many logs that are legally important and that must never be deleted.
You would just grant the INSERT and SELECT privileges on the table in question (this prevents the possibility of a row being changed)
GRANT INSERT,SELECT ON mydb.mytable
TO secureduser#localhost
IDENTIFIED BY 'password';
From this you would go on to add wider permissions to the other tables in the database for this user.
Also, check out the Archive Storage Engine, which is custom designed for this kind of audit-trail application.
Revoke the delete privilege from all users for that table.
Another option is to use the Archive storage engine. It only allows insertion, no updates or deletes (from anyone - even a privileged account)
You could do as he says below or...
What you could do, is give users 'roles' in number form, then pass this number to a script which would remove the row... but if the passed number is below a certain 'minimum role expectation' then they are denied access to the script?