I have created a schema in SQL Azure and granted the following permissions to a database role:
CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, CONTROL, DELETE, EXECUTE, INSERT, REFERENCES, SELECT, UPDATE, VIEW
DEFINITION ON SCHEMA::myschema TO myrole;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;
Through the above defined permissions myuser
can create/drop his own schema, so to overcome the problem I tried the ALTER ANY SCHEMA permission. But this permission also denies the user to create/drop tables.
What permissions are required in order to allow the user to do anything within his own schema but not be able to create or drop the schema itself?
Best Answer
There is no need to grant
CONTROL
on the schema.The permission required to
DROP SCHEMA
is eitherCONTROL
on the schema orALTER ANY SCHEMA
at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course).The required permission to
CREATE
ALTER
andDROP
other objects is theCREATE
permission for the object type (table\procedure\function\view) combined withALTER
permission on the schema.You already have these permissions in your script, so all that you have to do is remove the
CONTROL
permission. For reference, here is a BOL list ofDDL
statements where You can find the required permission for all object types.For the lazy, here is your code after removing the unnecessary permission: