I'm not sure if this functionality falls under the existing roadmap feature "Access rights: finer grained access control (grant access for specific functions)". The use case is as follows:
H2 is running as a database server (in TCP client/server mode). The server host multiple databases, with one database for each User. These databases are used for caching data during data integration processes; table structures change frequently. For security & performance management reasons individual User accounts are not administrators of their own databases (e.g. Users are not able to execute H2 file based functions such as FILE_READ on the TCP server). Certain features of the application that is using the H2 database require the ability to create new database schema's on demand. As a result of the way the data integration process works the applicaiton runs under the User account (i.e. can't run just the CREATE SCHEMA logic under a different H2 admin user account). Periodically, Users also manually DROP or RENAME schemas that are no longer required. Hence I've named the right "ALTER ANY SCHEMA" (an MS SQL Server syntax that I've never used) rather than three rights "CREATE SCHEMA", "DROP SCHEMA", "MODIFY SCHEMA". I'm just as happy to use these three rights if that would be more appropriate. So - to that end - I'd like to be able delegate CREATE/DROP/MODIFY SCHEMA commands for execution by non-admin users: 1. Is this a reasonable enhancement request? 2. Is the syntax "GRANT ALTER ANY SCHEMA TO <user>" compatible with future objectives of H2? 3. In case I find the time write this patch, is the correct approach to define a new H2 right (or 3 if I make each right independent) and then check for this right/these rights in the DDL classes CreateSchema, DropSchema, AlterSchema? From what I can see the current H2 right checks refer to specific tables (e.g. User.hasRight(Table table, int rightMask)) - so should this be extended to support database level right checks? Or should such checks be implimented elsewhere I am aware that this is only half of the solution as in order to make use of newly created schemas Users also require the future H2 road mapped feature "GRANT ALL ON * TO <user>". As this is my first post to the forum I'd like to thank all involved in developing this great product. -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To view this discussion on the web visit https://groups.google.com/d/msg/h2-database/-/_0HBdy-8aBoJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/h2-database?hl=en.
