I'm an accidental DBA in a small company that doesn't have a dedicated DBA.
I need to set up a read-only login/user for SQL Server 2008 database using SQL Server authentication that could be used by power users to run some ad-hoc queries/reports.
I found many posts and articles describing setting up a read-only user, for example:
How to grant users read-only access to all databases
I tried to follow these guides and made sure that the login in question is a member of only db_datareader and public roles, but I still can make changes to the data when I'm logged in as this "read-only" user.
For example, I can run this query in SSMS
UPDATE [dbo].[SoftwareRunLogs]
SET [RunDateTime] = '2010-10-29 13:31:06.133'
WHERE ID = 1
and it updates the row in a table:
(1 row(s) affected)
I expect such query to fail.
When I try to run a CREATE TABLE statement, it fails with the message CREATE TABLE permission denied in database ... I expect UPDATE, INSERT and DELETE statements to fail in a similar way, but it doesn't happen.
Maybe I inadvertently gave write permissions to that user, but I don't know how to check and where to look. I must have missed something trivial.
Any ideas?
There is a server login called ReadOnlyUser and here are its properties:
In the database there is a user called ReadOnlyUser and here are its properties:
Best Answer
I was looking through all items in
Securitynodes in SSMS and it seems that somehow the properties of thepublicdatabase role have been changed. They looked like this:I don't really know how they should look like normally, but clearing the
Delete,Insert,Updatecheckboxes seems to do the trick.The immediate problem is solved now and I'll have to read more about the
publicrole and what settings it should have.