Fully managed cloud. 30-day FREE full featured trial. Start Now
cancel
Showing results for 
Search instead for 
Did you mean: 

Solved: Every user can see every role

drumcircle
Rising Star

Users can see more senior or different roles than they have been granted.

drumcircle_0-1596098342351.png

 

You can see this plainly in the demo accounts.  Is this is a feature or a bug?

 

12 REPLIES 12

wunderdata
SQL-Fighter

I have to agree, that this can totally not be the desired way to function. Huge privacy issue in multi tenant environments. It was fixed for schema visibility in 6.2.x, bot not for users / connections. I can't think of any reason why those would be handled differently. I also can't think of any other DBS in the world, handling the visibility that way.

wunderdata
SQL-Fighter

Already existing users need to be granted rights to execute that script, or they can't introspect objects at all anymore.

PeterK
Xpert

We do multi-tenancy and this object visibility behaviour is a pain for us too.  Obfuscating the object names would have made the system too hard to manage so we had to go with the preprocessor-script approach too. Our script blocks all EXA_* tables except for a few.

Caveats:

1) Depending on how much filtering you are doing (and how you are doing it) the script adds overhead to each statement. This can make a difference when the user is sending lots of small statements. 

2) Important:  Any user can disable that preprocessor script in their own session by setting the equivalent session parameter to null. That would allow them to see the objects again. So it's only security through obscurity.

We had to add some automated monitoring of the sql audit logs to detect cases of #2 so that we're at least aware. 

We also use #2 to work around #1 in the case of DBAs...i.e if the script detects that the current user is a DBA then it disables the preprocessor script within that session so that subsequent statements don't keep re-checking.

It would be great if Exasol supported this natively.

You can add your vote for the idea here: https://community.exasol.com/t5/ideas/add-grant-role-view-access-and-user-view-access-migrated/idi-p...