vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/dws/umn/dws_03_0199.html
Lu, Huayi 95132e24fc DWS UMN 830.201_new version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com>
Co-authored-by: Lu, Huayi <luhuayi@huawei.com>
Co-committed-by: Lu, Huayi <luhuayi@huawei.com>
2024-05-27 11:54:34 +00:00

50 lines
9.7 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001411540041"></a><a name="EN-US_TOPIC_0000001411540041"></a>
<h1 class="topictitle1">How Do I Create Private Database Users and Tables?</h1>
<div id="body0000001411540041"><div class="section" id="EN-US_TOPIC_0000001411540041__section18587136124211"><h4 class="sectiontitle">Scenario</h4><p id="EN-US_TOPIC_0000001411540041__p0329145416570">The system administrator <strong id="EN-US_TOPIC_0000001411540041__b48821140124920">dbadmin</strong> has the permission to access tables created by common users by default. When Separation of Permissions is enabled, the administrator <strong id="EN-US_TOPIC_0000001411540041__b13765133417516">dbadmin</strong> does not have the permission to access tables of common users or perform control operations (DROP, ALTER, and TRUNCATE).</p>
<p id="EN-US_TOPIC_0000001411540041__p0890185121820">If a private user and a private table (table created by the private user) need to be created, and the private table can be accessed only by the private user and the system administrator <strong id="EN-US_TOPIC_0000001411540041__b1450772191317">dbadmin</strong> and other common users do not have the permission to access the table (INSERT, DELETE, UPDATE, SELECT, and COPY). However, the system administrator <strong id="EN-US_TOPIC_0000001411540041__b1722082411144">dbadmin</strong> sometimes need to perform the DROP, ALTER, or TRUNCATE operations without authorization from the private user. In this case, you can create a user (private user) with the INDEPENDENT attribute.</p>
<div class="fignone" id="EN-US_TOPIC_0000001411540041__fig13194161418486"><span class="figcap"><b>Figure 1 </b>Private users</span><br><span><img id="EN-US_TOPIC_0000001411540041__image420011141489" src="figure/en-us_image_0000001447013230.png" title="Click to enlarge" class="imgResize"></span></div>
</div>
<div class="section" id="EN-US_TOPIC_0000001411540041__section19182184884216"><h4 class="sectiontitle">Principles</h4><p id="EN-US_TOPIC_0000001411540041__p14812174824218">This function is implemented by creating a user with the INDEPENDENT attribute.</p>
<p id="EN-US_TOPIC_0000001411540041__p133307711466"><strong id="EN-US_TOPIC_0000001411540041__b6342010135313">INDEPENDENT | NOINDEPENDENT</strong> defines private and independent roles. For a role with the <strong id="EN-US_TOPIC_0000001411540041__b224113117563">INDEPENDENT</strong> attribute, administrators' rights to control and access this role are separated. Specific rules are as follows:</p>
<ul id="EN-US_TOPIC_0000001411540041__ul5508125214460"><li id="EN-US_TOPIC_0000001411540041__li9509165284612">Administrators have no rights to add, delete, query, modify, copy, or authorize the corresponding table objects without the authorization from the INDEPENDENT role.</li><li id="EN-US_TOPIC_0000001411540041__li205095523462">Administrators have no rights to modify the inheritance relationship of the INDEPENDENT role without the authorization from this role.</li><li id="EN-US_TOPIC_0000001411540041__li10509205219468">Administrators have no rights to modify the owner of the table objects for the INDEPENDENT role.</li><li id="EN-US_TOPIC_0000001411540041__li19509145234618">Administrators have no rights to change the database password of the INDEPENDENT role. The INDEPENDENT role must manage its own password, which cannot be reset if lost.</li><li id="EN-US_TOPIC_0000001411540041__li1150915234611">The <strong id="EN-US_TOPIC_0000001411540041__b759134355616">SYSADMIN</strong> attribute of a user cannot be changed to the <strong id="EN-US_TOPIC_0000001411540041__b95917432565">INDEPENDENT</strong> attribute.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001411540041__section139461420173220"><h4 class="sectiontitle">Procedure</h4><ol id="EN-US_TOPIC_0000001411540041__ol3704134743315"><li id="EN-US_TOPIC_0000001411540041__li16704144793320"><span>Connect to the DWS database as user <strong id="EN-US_TOPIC_0000001411540041__b1656912051913">dbadmin</strong>.</span></li><li id="EN-US_TOPIC_0000001411540041__li1370484703310"><span>Run the following SQL statement to create private user <strong id="EN-US_TOPIC_0000001411540041__b16116199121916">u1</strong>:</span><p><div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001411540041__screen167041747143319"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">USER</span><span class="w"> </span><span class="n">u1</span><span class="w"> </span><span class="k">WITH</span><span class="w"> </span><span class="n">INDEPENDENT</span><span class="w"> </span><span class="n">IDENTIFIED</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="s1">'password'</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
</p></li></ol><ol start="3" id="EN-US_TOPIC_0000001411540041__ol16703547143319"><li id="EN-US_TOPIC_0000001411540041__li18703144718332"><span>Switch to user <strong id="EN-US_TOPIC_0000001411540041__b297811415576">u1</strong>, create the table <strong id="EN-US_TOPIC_0000001411540041__b930242085718">test</strong>, and insert data into the table.</span><p><div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001411540041__screen591303711412"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span>
<span class="normal">2</span>
<span class="normal">3</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">test</span><span class="w"> </span><span class="p">(</span><span class="n">id</span><span class="w"> </span><span class="nb">INT</span><span class="p">,</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">));</span>
<span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">test</span><span class="w"> </span><span class="k">VALUES</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="s1">'joe'</span><span class="p">);</span>
<span class="k">INSERT</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">test</span><span class="w"> </span><span class="k">VALUES</span><span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="s1">'jim'</span><span class="p">);</span>
</pre></div></td></tr></table></div>
</div>
</p></li><li id="EN-US_TOPIC_0000001411540041__li248281103912"><span>Switch to user <strong id="EN-US_TOPIC_0000001411540041__b10632103718574">dbadmin</strong> and run the following SQL statement to check whether user <strong id="EN-US_TOPIC_0000001411540041__b1541010595577">dbadmin</strong> can access the private table <strong id="EN-US_TOPIC_0000001411540041__b118301927588">test</strong> created by private user <strong id="EN-US_TOPIC_0000001411540041__b179911550580">u1</strong>:</span><p><div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001411540041__screen1435534194119"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">u1</span><span class="p">.</span><span class="n">test</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001411540041__p26162588441">The query result indicates that the user <strong id="EN-US_TOPIC_0000001411540041__b95196286582">dbadmin</strong> does not have the access permission. This means the private user and private table are created successfully.</p>
<p id="EN-US_TOPIC_0000001411540041__p18410134274116"><span><img id="EN-US_TOPIC_0000001411540041__image7554104334116" src="figure/en-us_image_0000001496851569.png" title="Click to enlarge" class="imgResize"></span></p>
</p></li><li id="EN-US_TOPIC_0000001411540041__li1275692333914"><span>Run the <strong id="EN-US_TOPIC_0000001411540041__b151231713743">DROP</strong> statement as user <strong id="EN-US_TOPIC_0000001411540041__b79640161949">dbadmin</strong> to delete the table <strong id="EN-US_TOPIC_0000001411540041__b657915261548">test</strong>.</span><p><div class="codecoloring" codetype="Sql" id="EN-US_TOPIC_0000001411540041__screen1789232954117"><div class="highlight"><table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><span class="normal">1</span></pre></div></td><td class="code"><div><pre><span></span><span class="k">DROP</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">u1</span><span class="p">.</span><span class="n">test</span><span class="p">;</span>
</pre></div></td></tr></table></div>
</div>
<p id="EN-US_TOPIC_0000001411540041__p73298416118"><span><img id="EN-US_TOPIC_0000001411540041__image1481165101111" src="figure/en-us_image_0000001446859452.png" title="Click to enlarge" class="imgResize"></span></p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dws_03_0110.html">Account, Password, and Permission</a></div>
</div>
</div>
<script language="JavaScript">
<!--
image_size('.imgResize');
var msg_imageMax = "view original image";
var msg_imageClose = "close";
//--></script>
View Git Blame Copy Permalink