Database Entitlement Reports
You can use database entitlement reports to verify that users have access only to the appropriate data. Your Guardium system includes predefined database entitlement reports for several database types.
The predefined entitlement reports are listed as follows. They appear as domain names in the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections:
- Oracle DB Entitlements Domains
- MYSQL DB Entitlements Domains
- DB2® DB Entitlements Domains
- DB2 for i 6.1 and 7.1 DB Entitlements Domains
- SYBASE DB Entitlements Domains
- Informix® DB Entitlements Domains
- Microsoft SQL Server Entitlements Domains
- Netezza® DB Entitlements Domains
- Teradata DB Entitlements Domains
- PostgreSQL DB Entitlements Domains
- Azure SQL DB Entitlement Domains
- Neo4j Entitlement Domains
- DataStax Cassandra Entitlement Domains
See also Entitlement Optimization.
Oracle DB Entitlements
The following domains are provided to facilitate uploading and reporting on Oracle DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Oracle
- ORA Accnts of ALTER SYSTEM - Accounts with ALTER SYSTEM and ALTER SESSION privileges
- ORA Accnts with BECOME USER - Accounts with BECOME USER privileges
- ORA All Sys Priv and admin opt - Report showing all system privilege and admin option for users and roles
- ORA Obj And Columns Priv - Object and columns privileges granted (with or without grant option)
- ORA Object Access By PUBLIC - Object access by PUBLIC
- ORA Object privileges - Object privileges by database account not in the SYS and not a DBA role
- ORA PUBLIC Exec Priv On SYS Proc - Execute privilege on SYS PL/SQL procedures assigned to PUBL
- ORA Roles Granted - Roles granted to users and roles
- ORA Sys Priv Granted - Hierarchical report showing system privilege granted to users including recursive definitions (i.e. privileges assigned to roles and then these roles assigned to users
- ORA SYSDBA and SYSOPER Accnts - Accounts with SYSDBA and SYSOPER privileges
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
grant select on sys.dba_tab_privs to sqlguard;
grant select on sys.dba_roles to sqlguard;
grant select on sys.dba_users to sqlguard;
grant select on sys.dba_role_privs to sqlguard;
grant select on sys.dba_sys_privs to sqlguard;
grant select on sys.obj$ to sqlguard;
grant select on sys.user$ to sqlguard;
grant select on sys.objauth$ to sqlguard;
grant select on sys.table_privilege_map to sqlguard;
grant select on sys.dba_objects to sqlguard;
grant select on sys.v_$pwfile_users to sqlguard;
grant select on sys.dba_col_privs to sqlguard;
MYSQL DB Entitlements
The following domains are provided to facilitate uploading and reporting on MYSQL DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
MYSQL: The queries ending in "_40" use the most basic version of the mysql schema (for MySQL 4.0 and beyond). The information_schema has not changed since it was introduced in MySQL 5.0, so there is a set of _50 queries, but no _51 queries. The _50 queries work for MySQL 5.0 and 5.1 and for 6.0 when it comes out, since the information_schema is not expected to change in 6.0. The queries ending in "_502" (MYSQL502) use the new information_schema, which contains much more information and is much more like a true data dictionary.
- MYSQL Database Privileges 40
- MYSQL User Privileges 40
- MYSQL Host Privileges 40
- MYSQL Table Privileges 40
- MYSQL Database Privileges 500
- MYSQL User Privileges 500
- MYSQL Host Privileges 500
- MYSQL Table Privileges 500
- MYSQL Database Privileges 502
- MYSQL User Privileges 502
- MYSQL Host Privileges 502
- MYSQL Table Privileges 502
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
The entitlement queries for all MySQL versions through MySQL 5.0.1 use this set of tables: mysql.db mysql.host mysql.tables_priv mysql.user
Beginning with MySQL 5.0.2, and for all later versions, the entitlement queries use this set of tables: information_schema.SCHEMA_PRIVILEGES mysql.host information_schema.TABLE_PRIVILEGES information_schema.USER_PRIVILEGES
If a datasource has a MYSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading data will loop through all MYSQL databases the user has access to.
DB2 DB Entitlements
The following domains are provided to facilitate uploading and reporting on DB2 DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- DB2 Column-level Privileges (SELECT, UPDATE, ETC.)
- DB2 Database -level Privileges (CONNECT, CREATE, ETC.)
- DB2 Index-level Privilege (CONTROL)
- DB2 Package-level Privileges (on code packages – BIND, EXECUTE, ETC.)
- DB2 Table-level Privileges (SELECT, UPDATE, ETC.) DB2 Privilege Summary
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
GRANT SELECT ON SYSCAT.COLAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.DBAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.INDEXAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PACKAGEAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.DBAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.TABAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.SCHEMAAUTH TO SQLGUARD;
GRANT SELECT ON SYSCAT.PASSTHRUAUTH TO SQLGUARD;
- DB2 z/OS entitlements
- The following domains are provided to facilitate uploading and reporting on DB2 for z/OS DB Entitlements.
DB2 zOS Executable Object Privs Granted To PUBLIC
DB2 zOS Object Privs Granted To PUBLIC
DB2 zOS System Privs Granted To GRANTEE -V8
DB2 zOS System Privs Granted To GRANTEE -V9
DB2 zOS System Privs Granted To GRANTEE -V10 Up
DB2 zOS Database Privs Granted To GRANTEE
DB2 zOS Schema Privs Granted To GRANTEE -V9 Up
DB2 zOS Schema Privs Granted To GRANTEE -V8 Only
DB2 zOS Database Resource Granted To GRANTEE
DB2 zOS Object Privs Granted To GRANTEE
DB2 zOS System Privs Granted With GRANT -V8
DB2 zOS System Privs Granted With GRANT -V9
DB2 zOS System Privs Granted With GRANT -V10 Up
DB2 zOS Database Resource Granted To PUBLIC
DB2 zOS Schema Privs Granted To PUBLIC
DB2 zOS Database Privs Granted To PUBLIC
DB2 zOS System Privs Granted To PUBLIC -V10 Up
DB2 zOS System Privs Granted To PUBLIC -V9
DB2 zOS System Privs Granted To PUBLIC -V8
DB2 zOS Object Privs Granted With GRANT
DB2 zOS Database Resource Granted With GRANT
DB2 zOS Schema Privs Granted With GRANT-V8 Only
DB2 zOS Schema Privs Granted With GRANT-V9 Up
DB2 zOS Database Privs Granted With GRANT
DB2 for i 6.1 and 7.1 DB Entitlements
The following domains are provided to facilitate uploading and reporting on DB2 for i DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
Use the script, gdmmonitor-db2-IBMi.sql, to detail the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
Object privileges granted to grantee (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
Object privileges granted to PUBLIC (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
Executable Objects privileges granted to PUBLIC (Object type: package and Routine)
Object privileges granted to grantee with GRANT OPTION (Object type: Schema, Table, View, Package, Routine, sequence, column, global variable, and XML schema)
All of the object privileges exclude default system schemas from a predefined Guardium group called "DB2 for i exclude system schemas - entitlement report". Please add to this group for schema that should be excluded.
SAP Hana Entitlements
The following domains are provided to facilitate uploading and reporting on SAP Hana Entitlements.
- SAP Application Access
- SAP HANA Analytical priv granted to grantee
- SAP HANA App Privilege granted to grantee
- SAP HANA Sys priv granted to grantee
- SAP HANA DB Object priv granted to grantee
- SAP HANA Exec Objects priv granted to PUBLIC
- SAP HANA Object priv granted to grantee with GRANT OPTION
- SAP HANA Object privileges granted to PUBLIC
- SAP HANA Role granted to grantee
Use the script, gdmmonitor-SAP-Hana.sql, to detail the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
For more information on running a database entitlement report, see Running database entitlement reports.
SYBASE DB Entitlements
The following domains are provided to facilitate uploading and reporting on SYBASE DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- SYBASE System Privilege and Roles Granted to User including Grant option
- SYBASE Role Granted to User and System Privileges Granted to user and role including Grant option
- SYBASE Object Access by Public
- SYBASE Execute Privilege on Procedure, function assigned To Public
- SYBASE Accounts with System or Security Admin Roles
- SYBASE Object and Columns Privilege Granted with Grant option
- SYBASE Role Granted To User
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
/* These are required on MASTER database */
grant select on master.dbo.sysloginroles to sqlguard
grant select on master.dbo.syslogins to sqlguard
grant select on master.dbo.syssrvroles to sqlguard
/*These are required on every database, including MASTER */
grant select on sysprotects to sqlguard
grant select on sysusers to sqlguard
grant select on sysobjects to sqlguard
grant select on sysroles to sqlguard
If a datasource has a SYBASE database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading data will loop through all SYBASE databases the user has access to.
SYBASE IQ Entitlements
Supported version: sybase IQ 15 and above.
The following custom table definitions are created to upload data: (You can ignore the id.)
- 139 | Sybase IQ Object Privileges By DB User
- 140 | Sybase IQ Object Privileges By Group
- 141 | Sybase IQ System Authority And Group Granted To User
- 142 | Sybase IQ System Authority And Group Granted To User And Group
- 143 | Sybase IQ Object Access By Public
- 144 | Sybase IQ Exec priv on proc func to PUBLIC
- 145 | Sybase IQ User Group With DBA Perms Admin etc
- 146 | Sybase IQ Table View priv granted with grant
- 147 | Sybase IQ Group granted to user and group
- 148 | Sybase IQ Login policy for user group with login
Corresponding query/reports are as follows: (You can ignore the id.)
- 597 | Sybase IQ Object Privileges By DB User
- 598 | Sybase IQ Object Privileges By Group
- 599 | Sybase IQ System Authority And Group Granted To User
- 600 | Sybase IQ System Authority And Group Granted To Users And Groups Grantee
- 601 | Sybase IQ Object Access By Public
- 602 | Sybase IQ Execute Privilege On Procedure and Function To PUBLIC
- 603 | Sybase IQ User Group With DBA/Perms Admin/User Admin/Remote DBA database authority
- 604 | Sybase IQ Table View Priv Granted With Grant
- 605 | Sybase IQ Group Granted To User And Group
- 606 | Sybase IQ Login Policy For User And Group With Login Option Setting
They can be found under db entitlements with the others.
=========================================================================================
Description of each - some of them are self explained. some may need a few extra words:
1 /*
Object privileges by database user.
Object include: Table, views, procedure and functions.
These are privilege granted to users only, not including group or membership in group.
*/
2. /*
Object privileges by group.
Object inlcude: Table, views, procedure and functions.
These are privilege granted to group only.
*/
3 /* System Authority And Group Granted To Users.
*/
4 /* System Authority And Group Granted To Users And Groups Grantee.
*/
5 /* object access by public.
Including Tables, Views, Functions and Procedures
*/
6 /* Execute privilege on procedures and functions granted to PUBLIC:
*/
7 /* Users and groups with DBA, Perms Admin, User Admin or Remote DBA database authority.
*/
8 /* Tables and Views privileges granted with grant option to users and groups.
Note, this is the only grant option type allow in Sybase IQ. Routines cannot be grant with grant option.
*/
9 /* Group granted to users and group.
*/
10 /* Login policy assigned to user and group with login option setting */
How to use GuardAPI to add a datasource to Sybase IQ reports
How to use GuardAPI to add a datasource to each of the Sybase IQ reports and how to execute them.
See the examles below on how to add a datasource to each of the new reports and then execute each report.
Add a datasource for all Sybase IQ Entitlement Reports
grdapi create_datasource type="Sybase IQ" user=ent password=Guardium123 host=9.70.144.152 name="Sybase IQ entitlement6" shared=true owner=admin application=CustomDomain port=2638 dbName=sn5qpuff
Add a datasource to all Sybase IQ Entitlement Reports
grdapi create_datasourceRef_by_name application=CustomTables objName="Sybase IQ Exec priv on proc func to PUBLIC"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Group granted to user and group" datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Login policy for user group with login"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Object Access By Public" datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Object Privileges By DB User" datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Object Privileges By Group" datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ System Authority And Group Granted To User"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ System Authority And Group Granted To User And Group"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ Table View priv granted with grant"datasourceName="Sybase IQ entitlement 6"
grdapi create_datasourceRef_by_name application=CustomTablesobjName="Sybase IQ User Group With DBA Perms Admin etc"datasourceName="Sybase IQ entitlement 6"
Execute ALL SybaseIQ Entitlement Reports
grdapi upload_custom_data tableName=SYBASEIQ_EXEC_PRIV_ON_PROC_FUNC_TO_PUBLIC
grdapi upload_custom_data tableName=SYBASEIQ_GROUP_GRANTED_TO_USER_AND_GROUP
grdapi upload_custom_data tableName=SYBASE_OBJ_COL_PRIVS_GRANTED_WITH_GRAN
grdapi upload_custom_data tableName=SYBASEIQ_OBJECT_ACCESS_BY_PUBLIC
grdapi upload_custom_data tableName=SYBASEIQ_OBJECT_PRIVS_BY_DB_USER
grdapi upload_custom_data tableName=SYBASEIQ_OBJECT_PRIVILEGES_BY_GROUP
grdapi upload_custom_data tableName=SYBASEIQ_SYSTEM_AUTHORITY_AND_GROUP_GRANTED_TO_USER grdapi upload_custom_data
tableName=SYBASEIQ_SYSTEM_AUTHORITY_AND_GROUP_GRANTED_TO_USER_AND_GROUP grdapi upload_custom_data
tableName=SYBASEIQ_TABLE_VIEWS_PRIV_GRANTED_WITH_GRANT grdapi upload_custom_data
tableName=SYBASEIQ_USER_GROUP_WITH_DBA_PERMS_ADMIN_ETC
Informix DB Entitlements
The following domains are provided to facilitate uploading and reporting on Informix DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- Informix Object Privileges by database account not including system account and roles
- Informix database level privileges, roles and language granted to user including grant option
- Informix database level privileges, roles and language granted to user and role including grant option
- Informix Object Grant to Public
- Informix Execute Privilege on Informix procedure and function granted to Public
- Informix Account with DBA Privilege Informix Object and columns privileges granted with Grant option
- Informix Role Granted To User and Role
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements). The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
/* Select privilege to these tables/views is required */
Since all users have sufficient privileges for system catalog SELECT privileges, there is no need to grant privilege to any user. Informix doesn't seem to like granting system catalog to users. The grant below would normally be used. But in this case they are not required.
grant select on systables to sqlguard;
grant select on systabauth to sqlguard;
grant select on sysusers to sqlguard;
grant select on sysroleauth to sqlguard;
grant select on syslangauth to sqlguard;
grant select on sysroutinelangs to sqlguard;
grant select on sysprocauth to sqlguard;
grant select on sysprocedures to sqlguard;
grant select on syscolauth to sqlguard;
If a datasource has a Informix database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading data will loop through all Informix databases the user has access to.
Microsoft SQL Server 2005 and later DB Entitlements
The following domains are provided to facilitate uploading and reporting on Microsoft SQL Server 2005 and later DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- Microsoft SQL Server Object privileges by database account not including default system user.
- Microsoft SQL Server Role/System privileges granted To User
- Microsoft SQL Server Role/System Privilege granted to user and role including grant option
- Microsoft SQL Server Object access by PUBLIC
- Microsoft SQL Server Execute Privilege on System Procedures and functions to PUBLIC
- Microsoft SQL Server Database accounts of db_owner and db_securityadmin Role
- Microsoft SQL Server Server account of sysadmin, serveradmin and security admin /* only run against MASTER database */
- Microsoft SQL Server Object and columns privileges granted with grant option
- Microsoft SQL Server Role granted to user and role.
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
/* Select privilege to these tables/views is required */
/*These are required on MASTER database */
grant select on sys.server_principals to sqlguard
/*These are required on every databases including MASTER */
grant select on sys.database_permissions to sqlguard
grant select on sys.database_principals to sqlguard
grant select on sys.all_objects to sqlguard
grant select on sys.database_role_members to sqlguard
grant select on sys.columns to sqlguard
If a datasource has a MSSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading data will loop through all MSSQL databases the user has access to.
Netezza DB Entitlements
The following domains are provided to facilitate uploading and reporting on Netezza DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- Netezza Obj Privs by DB Username - Object privileges with or without grant option by database username excluding ADMIN account.
- Netezza Admin Privs by DB Username - Admin privileges with or without grant option by database username excluding ADMIN account.
- Netezza Group /Role Granted To User - Group (Role) granted to user
- Netezza Obj Privs By Group - Object privileges with or without grant option by GROUP excluding PUBLIC.
- Netezza Admin Privs By Group - Admin privileges with or without grant option by GROUP excluding PUBLIC.
- Netezza Admin Privs By DB Username, Group - Admin privileges with or without grant option by database username, group excluding ADMIN account and PUBLIC group.
- Netezza Obj Privs Granted - Object privileges granted with or without grant option to PUBLIC.
- Netezza Admin Privis Granted - Admin privileges granted with or without grant option to PUBLIC.
- Netezza Global Admin Priv To Users and Groups - Global admin privilege granted to users and groups excluding ADMIN account.
- Netezza Global Obj Priv To Users and Groups - Global object privilege granted to users and groups excluding ADMIN account.
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
/* This script must be run from the system database */
GRANT SELECT ON SYSTEM VIEW TO sqlguard;
GRANT LIST ON DATABASE TO sqlguard;
GRANT LIST ON USER TO sqlguard;
GRANT LIST ON GROUP TO sqlguard;
GRANT SELECT ON _V_CONNECTION TO sqlguard;
For Netezza entitlement queries, it is recommended to connect to SYSTEM database, especially when granting the privilege to the user who is going to run these reports. The granting privilege MUST take place from SYSTEM database or else the granted privilege will only take place on one particular database. When the granted privilege takes place from SYSTEM database, a special feature will allow the granted privilege to carry through to all the databases.
Teradata DB Entitlements
The following domains are provided to facilitate uploading and reporting on Teradata DB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
- Teradata Object privileges by database account not including default system users.
- Teradata System privileges and roles granted to users including grant option.
- Teradata Roles granted to users and roles including grant option.
- Teradata Role granted to users and roles. System privileges granted to users and roles including grant option.
- Teradata Objects and System privileges granted to public. Note role cannot be granted to public in Teradata.
- Teradata Execute privileges on system database objects to public.
- Teradata System admin, Security admin privileges granted to user and role. Note: There are no such role as System or Security admin in Teradata. User must create their own roles. These are some important system privileges that would normally not be granted to normal user: ABORT SESSION, CREATE DATABASE, CREATE PROFILE, CREATE ROLE,CREATE USER, DROP DATABASE, DROP PROFILE, DROP ROLE, DROP USER, MONITOR RESOURCE, MONITOR SESSION, REPLICATION OVERRIDE, SET SESSION RATE, SET RESOURCE RATE.
- Teradata Object privileges granted with granted option to users. Not including DBC and grantee = 'All'.
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), in order for the entitlement to work.
/* Select privilege to these tables/views is required */
GRANT SELECT ON DBC.AllRights TO sqlguard;
GRANT SELECT ON DBC.Tables TO sqlguard;
GRANT SELECT ON DBC.AllRoleRights TO sqlguard;
GRANT SELECT ON DBC.RoleMembers TO sqlguard;
PostgreSQL DB and PostgreSQL EDB Entitlements
The following domains are provided to facilitate uploading and reporting on PostgreSQL DB and PostgreSQL EDB Entitlements. Each of the following domains has a single entity (with the same name), and there is a predefined report for each domain. All of these domains are available from the Custom Domain Builder, Custom Query-Report Builder, and Custom Table Builder selections. As with other predefined entities and reports, these cannot be modified, but you can clone and then customize your own versions of any of these domains or reports. To see entitlement reports, log on the user portal, and go to the DB Entitlements tab.
There are seven entitlement custom domains/queries/reports for PostgreSQL. They are as follows (each is listed with Report name, description, note):
- PostgreSQL Priv On. Databases Granted To Public User Role With Or Without Granted Option. Privilege on databases granted to public, user and role with or without granted option. Run this on any database, ideally PostgreSQL.
- PostgreSQL Priv On Language Granted To Public User Role With Or Without Granted Option. Privilege on Language granted to public, user and role with or without granted option. Run this per database.
- PostgreSQL Priv On Schema Granted To Public User Role With Or Without Granted Option. Privilege on Schema granted to public, user and role with or without granted option. Run this per database.
- PostgreSQL Priv On Tablespace Granted To Public User Role With Or Without Granted Option. Privilege on Tablespace granted to public, user and role with or without granted option. Run this on any database, ideally PostgreSQL.
- PostgreSQL Role Or User Granted To User Or Role (9.4 and below. For PostgreSQL DB only). Role or User granted to user or role including grant option. Run this once in any database. Ideally PostgreSQL.
- PostgreSQL Role Or User Granted To User Or Role (9.5 and above). Role or User granted to user or role including grant option. Run this once in any database. Ideally PostgreSQL.
- PostgreSQL Super User Granted To User Or Role. Super user granted to user or role. Run this once in any database. Ideally PostgreSQL.
- PostgreSQL Sys Privs Granted To User And Role. System privileges granted to user and role. Run this once in any database. Ideally PostgreSQL.
- PostgreSQL Table View Sequence and Function privs Granted To Public. Tables, Views, Sequence and Functions privileges granted to public. Run this per database. Run this per database.
- PostgreSQL Table View Sequence and Function Privs Granted With Grant Option. Tables, Views, Sequence and Functions privileges granted to user and role with grant option only. Exclude PostgreSQL account.
- PostgreSQL Table View Sequence Function Privs Granted To Roles. Tables, Views, Sequence and Functions privileges granted to roles. Not including public. Run this per database.
- PostgreSQL Table Views Sequence and Functions Privs Granted To Login. Tables, Views, Sequence and Functions privileges granted to logins. Not including postgres system user. Run this per database.
For entitlements to be able to upload data from various datasources, the general requirement is that the login, used to access the database, be able to read the tables used in the query (which is hidden for all entitlements).
The following list (with comment line heading) details the minimal privileges required, in the database table (or view of the database table), for the entitlement to work.
/* Select privilege to these tables/views is required */
/*This is required on POSTGRES database*/
grant connect on database postgres to sqlguard;
/*These are required on every database, including POSTGRES (By default these are already granted to PUBLIC) */
grant select on pg_class to sqlguard;
grant select on pg_namespace to sqlguard;
grant select on pg_roles to sqlguard;
grant select on pg_proc to sqlguard;
grant select on pg_auth_members to sqlguard;
grant select on pg_language to sqlguard;
grant select on pg_tablespace to sqlguard;
grant select on pg_database to sqlguard;
If a datasource has a PostgreSQL database type, but does not have a DB name (see Datasource Definitions, the database name under Location is blank), then the uploading data will loop through all PostgreSQL databases the user has access to.
Azure SQL DB Entitlements
- Azure SQL Database Role granted to user and role
- Azure SQL Database Object / Column privileges granted with grant option
- Azure SQL Database Accounts with db_owner / db_securityadmin role
- Azure SQL Database Role / System privileges granted to user and role
- Azure SQL Database Object privileges granted to PUBLIC
- Azure SQL Database Privileges on system procedures / functions granted to PUBLIC
- Azure SQL Database Object privileges granted to user and role
Neo4j DB Entitlements
- Neo4j roles granted to users
- Neo4j privileges for built-in roles
- Neo4j privileges for user roles (excluding built-in roles)
- Neo4j privileges denied to user roles
DataStax Cassandra DB Entitlements
- DataStax Cassandra SuperUser Role
- DataStax Cassandra Object privileges granted with grant option
- DataStax Cassandra Role granted to User Role
- DataStax Cassandra DB Object privileges granted to grantee