Join IIUG
 for   
 

Informix News
18 Nov 13 - ZDNet - Top 20 mobile skills in demand... Read
09 Sep 13 - telecompaper - Shaspa and Tatung have shown a new smart home platform at Ifa in Berlin. Powered by the IBM Informix software... Read
06 Sep 13 - IBM data magazine - Mission Accomplished - Miami, Florida will be the backdrop for the 2014 IIUG Informix Conference... Read
01 Feb 13 - IBM Data Magazine - Are your database backups safe? Lester Knutsen (IBM Champion) writes about database back up safety using "archecker"... Read
14 Nov 12 - IBM - IBM's Big Data For Smart Grid Goes Live In Texas... Read
3 Oct 12 - The Financial - IBM and TransWorks Collaborate to Help Louisiana-Pacific Corporation Achieve Supply Chain Efficiency... Read
28 Aug 12 - techCLOUD9 - Splunk kicks up a SaaS Storm... Read
10 Aug 12 - businessCLOUD9 - Is this the other half of Cloud monitoring?... Read
3 Aug 12 - IBM data management - Supercharging the data warehouse while keeping costs down IBM Informix Warehouse Accelerator (IWA) delivers superior performance for in-memory analytics processing... Read
2 Aug 12 - channelbiz - Oninit Group launches Pay Per Pulse cloud-based service... Read
28 May 12 - Bloor - David Norfolk on the recent Informix benchmark "pretty impressive results"... Read
23 May 12 - DBTA - Informix Genero: A Way to Modernize Informix 4GL Applications... Read
9 Apr 12 - Mastering Data Management - Upping the Informix Ante: Advanced Data Tools... Read
22 Mar 12 - developerWorks - Optimizing Informix database access... Read
14 Mar 12 - BernieSpang.com - International Informix User Group set to meet in San Diego... Read
1 Mar 12 - IBM Data Management - IIUG Heads West for 2012 - Get ready for sun and sand in San Diego... Read
1 Mar 12 - IBM Data Management - Running Informix on Solid-State Drives.Speed Up Database Access... Read
26 Feb 12 - BernieSpan.com - Better results, lower cost for a broad set of new IBM clients and partners... Read
24 Feb 12 - developerWorks - Informix Warehouse Accelerator: Continuous Acceleration during Data Refresh... Read
6 Feb 12 - PRLOG - Informix port delivers unlimited database scalability for popular SaaS application ... Read
2 Feb 12 - developerWorks - Loading data with the IBM Informix TimeSeries Plug-in for Data Studio... Read
1 Feb 12 - developerWorks - 100 Tech Tips, #47: Log-in to Fix Central... Read
13 Jan 12 - MC Press online - Informix Dynamic Server Entices New Users with Free Production Edition ... Read
11 Jan 12 - Computerworld - Ecologic Analytics and Landis+Gyr -- Suitors Decide to Tie the Knot... Read
9 Jan 12 - planetIDS.com - DNS impact on Informix / Impacto do DNS no Informix... Read
8 Sep 11 - TMCnet.com - IBM Offers Database Solution to Enable Smart Meter Data Capture... Read
1 Aug 11 - IBM Data Management Magazine - IIUG user view: Happy 10th anniversary to IBM and Informix... Read
8 Jul 11 - Database Trends and Applications - Managing Time Series Data with Informix... Read
31 May 11 - Smart Grid - The meter data management pitfall utilities are overlooking... Read
27 May 11 - IBM Data Management Magazine - IIUG user view: Big data, big time ( Series data, warehouse acceleration, and 4GLs )... Read
16 May 11 - Business Wire - HiT Software Announces DBMoto for Enterprise Integration, Adds Informix. Log-based Change Data Capture... Read
21 Mar 11 - Yahoo! Finance - IBM and Cable&Wireless Worldwide Announce UK Smart Energy Cloud... Read
14 Mar 11 - MarketWatch - Fuzzy Logix and IBM Unveil In-Database Analytics for IBM Informix... Read
11 Mar 11 - InvestorPlace - It's Time to Give IBM Props: How many tech stocks are up 53% since the dot-com boom?... Read
9 Mar 11 - DBTA - Database Administration and the Goal of Diminishing Downtime... Read
2 Feb 11 - DBTAs - Informix 11.7 Flexible Grid Provides a Different Way of Looking at Database Servers... Read
27 Jan 11 - exactsolutions - Exact to Add Informix Support to Database Replay, SQL Monitoring Solutions... Read
25 Jan 11 - PR Newswire - Bank of China in the UK Works With IBM to Become a Smarter, Greener Bank... Read
12 Oct 10 - Database Trends and Applications - Informix 11.7: The Beginning of the Next Decade of IBM Informix... Read
20 Sep 10 - planetIDS.com - ITG analyst paper: Cost/Benefit case for IBM Informix as compared to Microsoft SQL Server... Read
20 Jul 10 - IBM Announcements - IBM Informix Choice Edition V11.50 helps deploy low-cost scalable and reliable solutions for Apple Macintosh and Microsoft Windows... Read
20 Jul 10 - IBM Announcements - Software withdrawal: Elite Support for Informix Ultimate-C Edition... Read
24 May 10 - eWeek Europe - IBM Supplies Database Tech For EU Smart Grid... Read
23 May 10 - SiliconIndia - IBM's smart metering system allows wise use of energy... Read
21 May 10 - CNET - IBM to help people monitor energy use... Read
20 May 10 - ebiz - IBM Teams With Hildebrand To Bring Smart Metering To Homes Across Britain... Read
19 May 10 - The New Blog Times - Misurare il consumo energetico: DEHEMS è pronto... Read
19 May 10 - ZDNet - IBM software in your home? Pact enables five-city smart meter pilot in Europe... Read
17 March 10 - ZDNet (blog) David Morgenstern - TCO: New research finds Macs in the enterprise easier, cheaper to manage than... Read
17 March 2010 - Virtualization Review - ...key components of Big Blue's platform to the commercial cloud such as its WebSphere suite of application ser vers and its DB2 and Informix databases... Read
10 February 2010 - The Wall Street Journal - International Business Machines is expanding an initiative to win over students and professors on its products. How do they lure the college crowd?... Read

End of Support Dates
IDS 11.10 - 30 Sep 2012
Subscribe to notifications

IIUG on Facebook IIUG on Twitter

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum

Re: -272 when using role and synonym

Posted By: Fernando Nunes
Date: Wednesday, 11 February 2015, at 7:51 p.m.

In Response To: Re: -272 when using role and synonym (MARK COLLINS)

Good that it's solved.
As I mentioned the roles are local to the database. There was (at least in
the internal database) a feature request to implement something else
(instance roles probably, but I can't remember exactly).
My suggestion would be to establish the default role of those users in DB_1
to the role that you plan to use for the grants. The default role should
apply...
other than that, but I would need to test it, I can only think about using
sysdbopen() on DB_1 to establish the role. But I'm not sure if sysdbopen()
is triggered in a distributed query. And even if it is, you'd probably want
to establish a different role whether it was a "direct" connection or a
distributed connection and to be honest at this moment I don't know if
there's a way to distinguish between them.

Tell us if the default role is not an option. Default role was introduced
in V10 so you can use it in your version.

Regards.

On Thu, Feb 12, 2015 at 12:13 AM, MARK COLLINS <markc@myfastmail.com> wrote:

> Fernando,
>
> Sorry, there was a typo. The tables are in db_1, the synonyms are in db_2,
> the
> application (or my test case in dbaccess) is connecting to db_2, and
> trying to
> do a SELECT against the synonym.
>
> The role is defined in both db_1 and db_2, and the permissions on the
> tables
> in db_1 are set so that the role has SELECT permission (no other
> permissions).
> I ran a query joining systabauth to systables so that the tabname can be
> displayed along with the info from systabauth:
>
> grantor db_owner
> grantee user_app_role
> tabid 153
> tabauth s--------
> tabname abc
>
> grantor db_owner
> grantee user_app_role
> tabid 145
> tabauth s--------
> tabname xyz
>
> So, it is the situation that you described in your point 4. And that
> suggests
> that the problem is, as you stated, that the role from db_2 (where the
> connection is done) is not transferring to the db_1 database where the
> tables
> live.
>
> The only part that doesn't make sense is that I can do a SELECT against
> synonym abc, but when I try to do one against xyz, I get the -272 error.
> Neither of the tables in db_1 have any permissions granted to the user, yet
> the query against abc is successful and xyz is not.
>
> Ah - but abc has permissions granted to public (it should NOT, especially
> since it has more than just SELECT, but that's a different problem
> altogether). So, by granting SELECT to the user for both abc and xyz, I
> now am
> able to retrieve data from both.
>
> Thank you for pointing me in the correct direction.
>
> Even though I did not have to restart the instance to fix this issue, I do
> like your RFE, and will track it down and vote on it.
>
> So, as a follow-up question (or observation), this implies that there is no
> way to use roles for permissions on any synonym where the base table is in
> an
> external database. Is that correct? Or is there some way to work around
> that?
> The idea of having to grant explicit permissions on all of these tables to
> individual users, rather than to a single role, is not appealing.
>
> I'm sorry, but I think there's something strange in the scenario. Please
> see my comments below and clarify my doubts.
>
> On Wed, Feb 11, 2015 at 6:23 PM, MARK COLLINS <markc@myfastmail.com>
> wrote:
>
> > IDS 11.50.FC6, HP-UX 11.31 PA-RISC
> >
> > We have two databases, with a table in one db and some synonyms in the
> > other
> > db pointing to the tables in the first db. In other words, in DB_1 we
> have:
> >
> > create table abc (...);
> > create table xyz (...);
> >
>
> Tables are on DB_1. Ok
>
> >
> > and in DB_2 we have:
> >
> > create synonym abc for db_1:abc;
> > create synonym xyz for db_1:xyz;
> >
> >
> Synonym are in DB_2. Ok
>
> > Our application connects to DB_1 and then does a SET ROLE statement,
> > followed
> > by a SELECT statement. If we try 'SELECT * FROM abc', the query runs
> > successfully and returns data. If we try 'SELECT * FROM xyz', it returns
> > sqlcode -272 SELECT permission for xyz.
> >
>
> So you connect to the database where the roles are created, and you SELECT
> and it fails for one of the tables.
>
> >
> > I have confirmed that both of the tables (in DB_2) have SELECT privileges
> > granted to the role that is being used. Everything that I can think of to
> > compare these two tables, relative to security, looks the same.
> >
>
> Hmmmm... Now you seem to suggest tables are on DB_2. But above you
> described that they were in DB_1.
>
> >
> > I'm sure it's something simple that I've overlooked. Any help
> appreciated.
> >
> >
> Not necessarily, but:
>
> 1- We need confirmation that the tables are in DB_1, that you're connecting
> to DB_1 and doing the SELECTs there... And in that case why did you mention
> the synonyms in DB_2?
> 2- We would need the tables permissions. A copy/paste of the dbaccess
> showing that could be the best way, if they fit on one screen.
> 3- Did you try, or could you try to restart the instance? I have some idea
> about a cache issue and unfortunately we don't have a way to clear the
> caches (if you like the idea please find the RFE for that and vote). Table
> permissions AFAIK are kept in the dictionary cache...
> 4- If for some reason you mixed things and you're effectively connecting to
> DB_2 where the synonyms are created and you're doing the SELECT on the
> synonyms, the role would be irrelevant... ROLEs are a database object. They
> don't cross databases. If this is your scenario, you may want to check
> which default role the user has on the remote database and if that role has
> SELECT permissions on the both tables or just the one that works... or if
> there are specific permissions on the table that works to the user itself.
>
> Regards.
>
>
>
> *******************************************************************************
> Forum Note: Use "Reply" to post a response in the discussion forum.
>
>

--
Fernando Nunes
Portugal

http://informix-technology.blogspot.com
My email works... but I don't check it frequently...

--001a1138ea24e3a72f050ed985be

Messages In This Thread

[ View Thread ] [ Post Response ] [ Return to Index ] [ Read Prev Msg ] [ Read Next Msg ]

IDS Forum is maintained by Administrator with WebBBS 5.12.