- What's New
- Service Overview
- Getting Started
-
User Guide
- Database Evaluation
- Object Migration
- SQL Statement Conversion
- Conversion Configuration
- SQL Audit
- Data Source Management
- Permissions Management
- Interconnection with CTS
- Best Practices
- Security White Paper
-
API Reference
- Before You Start
- API Types
- Calling APIs
-
API
- API Version Management
- Quota Management
- SQL Statement Conversion
- Evaluation Project
-
Migration Project
- Creating a Migration Project
- Querying Migration Projects
- Querying the Status of a Migration Project
- Checking Target Database Permissions
- Querying Permission Check Results
- Querying Migration Project Details
- Submitting Syntax Conversion of Objects
- Querying Syntax Conversion Progress of Objects
- Submitting Verification
- Querying the Verification Progress
- Downloading a Migration Error Report
- Deleting a Migration Project
- Permissions Policies and Supported Actions
- Appendixes
- SDK Reference
-
FAQs
-
Product Consulting
- Instance Freezing, Release, and Deletion
- Which Schemas in Source Databases Are Ignored for Migration?
- What Are the Differences Between Syntax Conversion and Migration & Verification in a Migration Project?
- What Are the Database Schema Changes After an Oracle Database Is Migrated to the Target Database?
- Why Cannot I Use Some Functions?
- What Is the Function of the dsc_ora_ext Schema Generated After Migration to the Target Database?
- What Should I Do If Data Collection Fails or Is Slow Due to the Small Values of Certain Oracle SGA Parameters?
- What Should I Do If Data Collection Fails and a Message SNAPSHOT TOO OLD Is Displayed?
- What Is the Mapping Between the GaussDB Versions Displayed on the UGO Console and Self-built GaussDB Versions?
- What Are VPCEP Resource Quotas?
-
Database Connections
- What Should I Do If I Cannot Connect to the Source Oracle Database During Database Evaluation Project Creation?
- What Should I Do If I Failed To Connect to the Source Database as User sys?
- How Do I Create GaussDB Databases Compatible with Source Databases?
- What Should I Do If My Database Fails to be Connected?
- SQL Server Connection Test Failed (Error Code=0, SQLState=08S01)
-
Evaluation Project
- How Do I Select a Connection Method?
- How Does UGO Collect Data from Source Databases?
- How Does UGO Check Database Permissions?
- What Are the Possible Causes for an Object Collection Failure?
- In GaussDB, How Do I Configure a Search Path If A Statement Without Schema Name Fails To Be Executed?
- What Is Native Compatibility, Conversion Compatibility, Partial Compatibility, or Incompatibility?
- What Is the Relationship Between Migration Risk (Top 10 risk SQL) and Risky SQL Summary?
- What Are Reconstruction Statistics and How Are Reconstruction Points Measured?
- What Should I Do If An Object Collection Error (Closed Connection) Is Displayed During Evaluation Project Creation?
- What Should I Do If "ErrorCode=4036" Is Displayed During Evaluation Project Creation?
- What Should I Do If "ErrorCode=17002" Is Displayed During Evaluation Project Creation?
- What Do I Do If the Assessment Task Is Connected but the Pre-check Fails?
- What Is the Impact of the Collection on the Source Database?
-
Migration Project
- Why Is There No Available Evaluation Project During Migration Project Creation?
- When Should I Use the Conversion Config Function?
- What Should I Do If SQL Modifications Failed to Be Saved During Object Correction?
- How Do I Solve ERROR: syntax error at or near "@"?
- What Are the Possible Causes for an Object Verification Failure?
- What Are the Impacts of GUC Parameter Settings of GaussDB on Migration?
- How Do I Set GaussDB GUC Parameters?
- Why Is the Number of Indexes Different After Oracle Data is Migrated to GaussDB?
- What Should I Do If There Are ctid, xc_node_id, and tableoid Columns in GaussDB?
- Why Is Data Inconsistent When SELECT Statements Without ORDER BY Are Used for Query in Distributed GaussDB?
-
Product Consulting
- Videos
- General Reference
Show all
Copied.
Checking User Permissions
Separation of Permissions
- This check item is displayed only when the target database type is GaussDB, separation of permissions is enabled, and the migration user is granted the sysadmin permission.
- If the permission models are switched repeatedly, a sysadmin user still has security administrator (CREATEROLE) and audit administrator permissions after separation of permissions is enabled. If you need to switch model from non-separation of permissions to separation of permissions, review the permissions of existing users and tailor some permissions as needed.
Sysadmin Permission
This check item is only displayed when the target database type is GaussDB, separation of permissions is disabled, and the migration user is granted the sysadmin permission. The check result must be Success.
Permission of Creating Schemas
This check item is displayed when the target database type is GaussDB and the migration user is granted the sysadmin permission. It is used to check whether the migration user has the permission to create schemas in the target database. Database objects must be created in schemas.
GRANT CREATE ON DATABASE <db_name> TO <user>;
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
This check item is mandatory.
Permissions of Creating and Modifying Users and Roles
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and the USER, ROLE, and GRANT objects are migrated. It is used to check whether the migration user has the permissions to create or modify users and roles in the target DB instance.
ALTER USER <user> WITH CREATEROLE;
- When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
- This check item is mandatory.
Permission of Creating Objects Using PUBLIC SCHEMA
This check item is displayed when the target database type is GaussDB and the migration user is a common or sysadmin user (separation of permissions enabled). This check item involves complex permission combination.
In GaussDB V2.0-2.7 and earlier versions, CREATE permissions on public schemas are required to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In GaussDB V2.0-3.1 and later versions, the sysadmin (used when separation of permission is enabled) user must have the CREATE permission on public schemas to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In GaussDB V2.0-3.1 and later versions, a common user must have the CREATE permission on public schemas and ANY permission on objects, to create objects such as tables, views, indexes, sequences, packages, types, and triggers.
In separation of permissions, only initial users have the permissions to create functions, stored procedures, and synonyms on public schemas.
In non-separation of permissions, initial and sysadmin users have the permissions to create functions, stored procedures, and synonyms on public schemas.
CREATE permissions: GRANT CREATE ON SCHEMA public TO <user>;
ANY permissions:
GRANT CREATE ANY TABLE TO <user>;//Users can create tables or views in public and user schemas.
GRANT CREATE ANY SEQUENCE TO <user>;//Users can create sequences in public and user schemas.
GRANT CREATE ANY INDEX TO <user>;//Users can create indexes in public and user schemas.
GRANT CREATE ANY PACKAGE TO <user>;//Users can create packages in public and user schemas.
GRANT CREATE ANY TYPE TO <user>;//Users can create types in public and user schemas.
GRANT CREATE ANY TRIGGER TO <user>;//Users can create triggers in public and user schemas.
- A DB instance contains multiple databases. Each database has its own public schema. Permission assignment must be performed in the corresponding database.
- When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
- This check item is not mandatory. Based on the GaussDB permission design, the check result is always Warning.
Permissions of Existing Schemas
This check item is displayed when the target database type is GaussDB and the migration user is a common or sysadmin user (separation of permissions enabled).
It is used to check whether the migration user has the permissions to grant the owner of the existing schemas to the migration user.
GRANT <schema_owner> TO <user>
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user or schema owner is used to grant permissions.
If the migration user does not have sufficient permissions, the schema owner cannot be queried.
Granting Tablespace Permissions
This check item is only displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated.
Statements:
GRANT <privilege> ON TABLESPACE <tablespace_name> TO <user>;
GRANT <privilege> ON TABLESPACE <tablespace_name> TO <user> WITH GRANT OPTION;
If WITH GRANT OPTION is specified, a grantee can grant this permission to others.
Permissions include CREATE, ALTER, DROP, COMMENT, CREATE WITH GRANT OPTION, ALTER WITH GRANT OPTION, DROP WITH GRANT OPTION and COMMENT WITH GRANT OPTION.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Database Permissions
This check item is only displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated.
Statements:
GRANT <privilege> ON DATABASE <db_name> TO <user>;
GRANT <privilege> ON DATABASE <db_name> TO <user> WITH GRANT OPTION;
If WITH GRANT OPTION is specified, a grantee can grant this permission to others.
Permissions include CREATE, CONNECT, TEMPORARY, ALTER, DROP, COMMENT, CREATE WITH GRANT OPTION, CONNECT WITH GRANT OPTION, ALTER WITH GRANT OPTION, TEMPORARY WITH GRANT OPTION, DROP WITH GRANT OPTION and COMMENT WITH GRANT OPTION.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting ANY Permissions
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant ANY permissions on the target database to other users.
GRANT <privilege> TO <user> WITH ADMIN OPTION;
If WITH ADMIN OPTION is specified, the granted user can grant the permission to other roles or users.
Permissions include CREATE ANY TABLE, ALTER ANY TABLE, DROP ANY TABLE, SELECT ANY TABLE, UPDATE ANY TABLE, INSERT ANY TABLE, DELETE ANY TABLE, CREATE ANY SEQUENCE, ALTER ANY SEQUENCE, DROP ANY SEQUENCE, SELECT ANY SEQUENCE, CREATE ANY INDEX, ALTER ANY INDEX, DROP ANY INDEX, CREATE ANY FUNCTION, EXECUTE ANY FUNCTION, CREATE ANY PACKAGE, EXECUTE ANY PACKAGE, CREATE ANY TYPE, ALTER ANY TYPE, DROP ANY TYPE, CREATE ANY SYNONYM, DROP ANY SYNONYM, CREATE ANY TRIGGER, ALTER ANY TRIGGER and DROP ANY TRIGGER.
A DB instance contains multiple databases. The ANY permissions are bound to databases. You need to grant the ANY permissions in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Permissions on the pg_catalog Schema
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant the query permission on all tables in the pg_catalog schema in the target database to other users.
GRANT <privilege> TO <user> WITH ADMIN OPTION;
A DB instance contains multiple databases. Each database has its own pg_catalog schema. Permission assignment must be performed in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting the Database Link Permission
This check item is displayed when the target database type is GaussDB, the migration user is not granted the sysadmin permission, and GRANT objects are migrated. It checks whether the migration user can grant the permission on creating database connections in the target database to other users.
GRANT CREATE PUBLIC DATABASE LINK TO <user> WITH GRANT OPTION;
A DB instance contains multiple databases. You need to grant permissions in the corresponding database.
When separation of permissions is enabled, initial user is used to grant permissions. When separation of permissions is disabled, SYSADMIN user is used to grant permissions.
Granting Permissions to Check Role and User Authorization
If a sysadmin user is created after separation of permissions is disabled, you can execute migration tasks as the user.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot