 |
|
SQL Product Highlight
Idera - SQL safe backup
SQL Server backup compression with network fault tolerance and zero impact encryption
- Fast, compressed & encrypted SQL backup and restore
- SQL Server backup compression of 95%
- At least 50% faster than native SQL backups
Learn more!
Giving and removing permissions in SQL Server
|
By: Greg Robidoux | Read Comments (8) | Related Tips: More > Security |
Problem
Often times when auditing SQL Servers I notice that most environments use the default database roles to grant access to users. These default roles such as db_owner, db_datareader and db_datawriter are great, but often times they give the users a lot more access then they really need. Giving permissions and removing permissions is not that hard to do within SQL Server, it just takes some time to determine what permissions should be applied.
Solution
SQL Server offers three pretty simple commands to give and remove access, these commands are:
- GRANT - gives a user permission to perform certain tasks on database objects
- DENY - denies any access to a user to perform certain tasks on database objects
- REVOKE - removes a grant or deny permission from a user on certain database objects
Here are some examples of these commands.
Allow users Joe and Mary to SELECT, INSERT and UPDATE data in table Customers
GRANT INSERT, UPDATE, SELECT ON Customers TO Joe, Mary
Revoke UPDATE access to table Customers for user Joe
REVOKE UPDATE ON Customers to Joe
DENY DELETE access to table Customers for user Joe and Mary
DENY DELETE ON Customers to Joe, Mary
As you can see from the above examples it is pretty easy to grant, deny and revoke access. In addition to grant SELECT, INSERT, DELETE and UPDATE rights you can also grant EXECUTE rights to run a stored procedure as follows:
GRANT EXEC ON uspInsertCustomers TO Joe
To determine what rights have been granted in a database use the sp_helprotect stored procedure.
In addition to granting rights to objects that you create you can also grant users permissions to do other tasks such as create tables, views, stored procedures, etc... To grant a user permissions to create a table you would run this command.
GRANT CREATE TABLE TO Joe
As you can see granting rights and permissions to certain features is not all that difficult to do. Take the time to understand what permissions are really needed by the database users and grant, deny and revoke accordingly instead of just using the default database roles.
Next Steps
- Take a look at this tip on how to determine what permissions have been granted Auditing your SQL Server database and server permissions
- Take a look at these commands for other examples
Last Update: 12/19/2006
About the author
PrintComments and Feedback:
| Thursday, September 27, 2012 - 12:21:47 PM - Susan Pace | Read The Tip |
|
Greg,
I have read alot of article and searched but I am having a hard time find exactly what I am looking for. Instead of using Windows accounts we are using SQL accounts. Each user has an account and our application has an account. I have techsupport who know how to write SQL statements and sometime just goes and open tables up to correct data or insert data and I want to stop this kind of practice. We have created proc for them to do these kind of update or insert instatements using parameters. They have been granted execute to the schema dbo but when they try to execute the proc they get an error Update permissions was denied on the object XXX,database XXX, Schema 'dbo' . I do not want to give the db_datawriter because that defeats the purpose. I am at a loss. Any suggestions?
Sincerely,
Susan Pace |
|
| Thursday, September 27, 2012 - 12:35:16 PM - Greg Robidoux | Read The Tip |
|
This should work by creating the stored procedure and granting them EXEC on the stored procedure. You shouldn't need to give them direct access to the tables. Is it possible to share the code you are using? |
|
| Thursday, September 27, 2012 - 1:18:59 PM - Susan Pace | Read The Tip |
|
SET STATISTICS IO OFF DECLARE @UserString VARCHAR(8000)
-- Change this section per user
IF @Environment = 'DEVELOPMENT' AND @Instance = 1 IF @Environment = 'DEVELOPMENT' AND @Instance = 2 SET @DefaultDatabase = 'master' /*Grant View Definition to user*/ IF @DatabaseRole IN ('QA','BA') IF @DatabaseRole = 'Superuser'
END CATCH ;WITH Substr(num, firstchar, lastchar) AS (
DECLARE @NumUsers int SET @NumUsers = (SELECT MAX(num) FROM #Users) WHILE @UserIter <= @NumUsers
PRINT (@SQL) WHILE @RoleIter <= @NumRoles SET @RoleName = (SELECT RoleName FROM #Roles WHERE num = @RoleIter) -- Must remove brackets for addrolemember procedure SET @RoleUserName = REPLACE(REPLACE(@UserName, '[', ''), ']', '') SET @RoleIter = @RoleIter + 1
|
|
| Thursday, September 27, 2012 - 3:59:43 PM - Greg Robidoux | Read The Tip |
|
Susan - is the above code the code that gives the user this error: Update permissions was denied on the object XXX,database XXX, Schema 'dbo' or is there another set of code that gives them the error?
|
|
| Thursday, September 27, 2012 - 4:35:21 PM - Susan Pace | Read The Tip |
|
USE [RobotSQL]
-- =============================================
|
|
| Friday, September 28, 2012 - 4:28:14 PM - Greg Robidoux | Read The Tip |
|
Hi Susan, the issue you are having is related to having the stored procedure in one database and having it update tables in another database. The simple solution would be to create the stored procedure in the same database and GRANT EXEC permissions on that stored procedure for the users that need to run the stored procedure.
If you are unable to do that the other option is to enable database chaining for both of the databases. This can be done with this command that needs to be run in both databases. You will need to change DBName for the actual names of the databases. EXEC sp_dboption 'DBName', 'db_chaining', 'true'; You can read more about this in this tip: http://www.mssqltips.com/sqlservertip/1782/understanding-cross-database-ownership-chaining-in-sql-server/ |
|
| Thursday, December 06, 2012 - 4:23:08 AM - Dineshbabu | Read The Tip |
|
I have created procedure as below CREATE PROC pmsuser.Test124 --both schema name and user name is PMSUSER Then i have denied update permission for pmsuser --user
DENY
UPDATEONOBJECT::DBO.Table1 TO PMSUSEReventhough i'm getting the below error Msg 229, Level 14, State 5, Procedure test124, Line 4 |
|
| Monday, May 06, 2013 - 2:12:55 PM - mohan | Read The Tip |
|
when i run insert,update or delete a query in a trigger in which i used linked server in sql server 2005, i m getting an error which is mentioned below OLE DB provider "SQLNCLI" for linked server "218" returned message "No transaction is active.". Msg 7391, Level 16, State 2, Procedure a1_Insert, Line 7 The operation could not be performed because OLE DB provider "SQLNCLI" for linked server "218" was unable to begin a distributed transaction. i have checked with the MSDTC options, hope every options where given correctly. Please guide me to rectify this error. |
|
|
privacy | disclaimer | copyright | advertise | about authors | contribute | feedback | giveaways | user groups Some names and products listed are the registered trademarks of their respective owners. Edgewood Solutions LLC | MSSharePointTips.com | MSSQLTips.com |