I am working on a DB where almost every technical user has full read / write permissions on all tables. We are working towards removing permissions, gradually, from certain users, and I had hoped that implementation of some new code on a new schema would be able to be strictly implemented from day 1.
However, I have realised today that most of our users have been granted db_datareader and db_datawriter role membership, which means that they all have access to this new schema by default. Therefore, I want to find a way forward that gets this schema secure without creating a load of additional work.
My idea is:
- Create a new 'generalReader' role which has SELECT privilege on our huge dbo schema, and a couple of other schema we have (but are not being changed right now);
- Create a new 'generalWriter' role with UPDATE, INSERT, DELETE privileges on the dbo and existing schema;
- Drop the db_* roles from users, and replace them with the new generalReader and generalWriter roles;
- Add new roles to control access to the new schema – I think most people could be allowed to SELECT from it, where only a few should be granted INSERT privileges. (e.g. I would create an LoanAccountReader and LoanAccountInserter roles)
Does this sound like a broadly appropriate plan to move forward – or am I missing some tricks or some security issues?
Before coming up with the above, I did some experimentation with roles and could create roles DENYing write access (that overrides the database writer role), but could not then re-enable that permission with a 'writer' role.
Best Answer
This sounds like a reasonable plan
DENY is tricky to get right and may not work anyway See:
Just in case you missed it, You can GRANT .. SCHEMA so you don't have to GRANT per object: