Skip to main content
Completed

Not Granting rights to the role Public

Related products:Software FactoryIntelligent Application Manager
E
Sidekick

When a new release is created, the SQL scripts contains statement like

‘grant … on … to public’

The role public is part of every user who can make connection with the database. This results in the effect that I’m not able to give developers rights to look into production databases, because if I give these rights, they are also able to mutate the content of the database.

 

In my configuration only the applicationpooluser of indicium/indicium universal/webgui needs rights to the database.

 

So, my request is not to grant rights to the role public, but to a rolename defined by myself. This gives me the ability to create a difference between the rights of the applicationpooluser and any other users I want to give access to the database.

Did this topic help you find an answer to your question?

6 replies

Mark Jongeling
Administrator
Forum|alt.badge.img+23
Updated idea status NewOpen
"Wake me up before you low-code" | On holiday 06-02 till 27-06
W
1 person likes this
  • W
    Walter
Arie V
Community Manager
Forum|alt.badge.img+12
  • Arie V
  • Community Manager
  • 999 replies
  • October 28, 2021

To add to the idea: shouldn't the whole concept of granting permissions be dropped from the SF when using Indicium? The Pool User is db_owner as per the Thinkwise documentation, so I don't see a reason to explicitly grant additional rights as part of deployments.

  • Current behavior is unnecessarily risky from a least-privileged access perspective
  • Current behavior of granting additional permissions to public is not in line with security best practice recommendations
  • Current behavior basically makes it impossible to grant read-only rights to a Thinkwise database

I understand that the current behavior might still be useful for clients who don't use Indicium as service layer (yet), but could we in the meantime please have a way to turn this behavior OFF by Default (i.e. introduce a setting in the SF ASAP)?

Arie V
Community Manager
Forum|alt.badge.img+12
  • Arie V
  • Community Manager
  • 999 replies
  • January 24, 2022

FYI: we fixed this ourselves by adding a MANUAL stored procedure.

Mark Jongeling
Administrator
Forum|alt.badge.img+23
Updated idea statusOpenNext release
"Wake me up before you low-code" | On holiday 06-02 till 27-06
Mark Jongeling
Administrator
Forum|alt.badge.img+23

A new tag has been introduced to modify whether a grant .. on .. public will be added at the end of procedures such as creating tables or stored procedures. This line affects database authorization for functionality and upgrades.

When you add the tag NO_GRANT_TO_PUBLIC to a specific project, this line will no longer be added to any procedure within the context of the project. Note that you need to generate the project's definition after adding the tag.

You can add the tag to the Software Factory's Advanced menu > Projects > tab Project tags. If added here, it will be applied to your entire project.

New project tag: NO_GRANT_TO_PUBLIC

 

 

"Wake me up before you low-code" | On holiday 06-02 till 27-06
Arie V
1 person likes this
  • Arie V
    Arie V
Jeroen van den Belt
Administrator
Forum|alt.badge.img+9
Updated idea statusNext releaseCompleted

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings