Currently user using connections to both TEST and PROD instances using MS Access, and everything goes well. By using ABC user. Now user having problems with APPS user in TEST .
Also, user having the same problem with user XYZ in PROD instance. This user has the ‘SELECT ANY TABLE’ privilege, so it should be able to see the tables, but doesn’t work from MS Access.
Please suggest us.
If you're able to connect via a SQL connection (I'm assuming ODBC) then you'll be using a predefined set of credentials (i.e. you'll be passing a username and password to Access; probably through the connection string).
Chances are that if your user is unable to get into the database directly, their network (AD?) account is not configured with the same elevated privileges that the ODBC connection has.
Related
I have a request from a customer and I am quite sure the answer is no, but wondering if someone has a different answer.
Background
As you know MySQL installation create a database called "mysql" where it stores the databases we create and also the users.
In the user table, there is a field called "authentication_string" where the user password is saved.
Project
On this project each time a customer creates an account a new database user and database is created.
When a customer logs in through a web interface, the system calls an API to authenticate him/her. After that the root db user is used to connect to customer database, not their own database credentials, why? because they do not want to save user and password on database (this is a temp solution)
They want to change the application so after authentication/authorization process and they would somehow only needed root credentials to somehow get user and password from "mysql db" and then use them to create the connection using customer db credentials.
Is this possible? Or is there some mysql parent - children configuration where this scenario is possible?
Project uses MySQL 5.7
From what I can understand I think you could just use MySQL’s SET PASSWORD to set some random strong password for the user and then login using that. This way you would not store anything and it would still be pretty secure assuming your root db access is fairly isolated from the thing that’s trying to login as the user.
For example:
SET PASSWORD FOR some_user = <long-strong-randomly-generated-password-string>
Afterwards you return this <long-strong-randomly-generated-password-string> from your access-providing process and then the user process can login using that. In this case it would stay valid until the next SET PASSWORD, so keep that in mind, but depending on your use-case that might be ok.
I'm trying to allow an application to connect via a connection string, and am having no luck; the application asks for a password. The only password I can find in the console is for the root user (which I guess is also the master password). I've changed the password and am trying to log in with MySQL Workbench, but the connection is denies.
What gives? Is there a way I can create a new user and password? If not, how long does it take for a new master password to set?
You will use the credentials you supplied when the instance was first created (see screenshot)
That's the "root" permissions you have after instance creation.
If you recently changed the password, it doesn't take long to update.
As long as the instance is an an available state on the RDS console you should be good with that new password.
No matter what you're going to need to know the username of the master user which was configured at instance creation.
Once that's done you should use individual MySQL users to make application connections, but that's a story for a different thread :)
If you still cannot connect, ensure your Security Groups assigned to the instance allow connection from wherever you're connecting from and ensure your firewall isn't blocking outbound to MySQL port (3306)
Some helpful links regarding MySQL in RDS:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateInstance.html
Some helpful links regarding MySQL general user management (after you get logged in as the master account):
https://dev.mysql.com/doc/refman/5.7/en/create-user.html
http://www.mysqltutorial.org/mysql-create-user.aspx
I am developing a multi-user-application windows desktop application.
For User Management i use the DMBS (Oracle, MySQL, MSSQL, Postgre).
So each user has an database user account.
I do not want the user to connect to the database directly and read / write data.
The data should only be accessible connection should only be valid if they use my application.
I found this website by SQLDUDE where he describes some techniques.
One way to access the data only through a specific application is a logon trigger that checks for application_name.
However he also describes that this method can easily be spoofed as the user can specify the application_name once he knows it in the connection string.
(detailed explanation here - see Solution for Scenario #2)
He also mentions Application Roles.
A more secure approach you could use for this is called "Application
Roles". When connecting from an application you assume a particular
role and only that role is granted privileges required in the
database.
So basically the user logs in with his login credentials but has no rights at all (only connect).
Then inside the application i call sp_setapprole with a password, once the connection is established so the application rules are granted.
Once this call succeeds then the connection gets the privileges of the
application role and loses privileges of the actual user, which is
what we want. So if someone tried to connect to the database from SSMS
or SQLCMD, they will access the DB using their credentials, which
won’t have the required permissions on the tables, since only the
application role has the rights on the tables. This is more secure &
reliable approach, but one that requires application code change and
as a DBA you will have to create the application role in SQL Server.
So Application Roles sounds like the way to go.
My question is:
Are application roles DMBS standard and available to most DBMS systems?
Is there way to trace the sp_setapprole login (e.g. with WireShark)?
Of course someone could reverse-engineer the application and get the credentials for the application role - but i guess that's unavoidable :)
I've seen one simpler solution in place and it worked fine. Here it is:
The application is responsible for creating users at the database
Before creating the user, the application hashed/encrypted their password, so if you chose password "123456" it would be created as "RRU2992191910" (just an example)
If the user tried to connect to the database with "123456" it wouldn't be successful
Only the application was able to connect to database, because it hashed/encrypted the password informed by the user
This is not the most secure solution in the world, but it's very simple and does what you want. And it could be ported to different RDBMS's with no extra cost.
How do I prevent WAN access to a particular database in SQLyog? I am able to grant full access to particular DB's, but not able to prevent them. I have a Web APP that runs on an internal server and accesses MySQL on the same server. I have created a SQL user with my workstations IP, but I am receiving access denied from dbconnect when I run the APP from my workstation.
Thanks,
Tony Cripps
MySQL does not allow connections from anything other than what you've specified. If you want to disallow access from a particular IP or network, then that mean that you've already gone and granted access to them.
Review the CREATE USER syntax, particularly the section on specifying hostnames.
Review the user accounts that you've already created:
SELECT user, host, password FROM mysql.user;
And then re-create them as necessary.
Other than than that, if you want to completely disallow WAN access then you should be looking at your firewall settings, not MySQL.
I am using db2 9.7.2 (express) version. Trying to connect the db2 via ODBC to MS Office 2007. connection all worked well but when try to open table from access error saying db2admin user does not have previlage for the operation...
I has done the typical installation of db2.. so Is there anything more to do for user right ?.. db2/msoffice works good. Only thing with the access right...
please help me to solve this.
Who created the database (owns DBADB profile) and who created the instance (SYSADMIN profile)?
Probably, you created a database with a different user to db2admin, and for this database the user db2admin does not have special privileges.
Check the groups in you operative system, the sysadmin_grp group in the instance, and who created the database. The problem could be solve just by adding db2admin in a operative system group (db2admins).
If db2admin could connect to the database, because the connection grant is public, but the data access is restricted to some users. Just by adding dbadm to db2admin or giving the profile sysadmin, then db2admin will have the complete control of the database.