SQL Server – Allowing User to Grant Certain Permissions to Others

access-controlpermissionsrolesql serversql server 2014

I have tried googling this but may well be using the wrong terms… permissions and the like aren't my strong point.

What I want to do is first create a role – eg 'Snr_Analyst' – with certain permissions to read everything, and alter particular schemas in a database. That bit I can do.

I also want that role to be able to grant read permissions on everything in that database to any other user, but not to grant any higher permissions.

Is this possible?

I'm currently using SQL Server 2014.

Best Answer

you can use GRANT ... WITH GRANT OPTION.

https://docs.microsoft.com/en-us/sql/t-sql/statements/grant-transact-sql?view=sql-server-ver15

this option specifies that the security principal receiving the permission is given the ability to grant the specified permission to other security accounts.

Related Solutions

Sql-server – Schemas and user permissions

It could be as simple as:

GRANT SELECT ON SCHEMA::[sitename] TO [user];

If there are procedures and functions you will also need:

GRANT EXECUTE ON SCHEMA::[sitename] TO [user];

The full list of permissions applicable at the schema level is listed in the documentation:

GRANT Schema Permissions (Transact-SQL)

You can also set the default schema for any user, which may be helpful in some scenarios (for example, if they create tables without explicitly specifying the sitename schema):

ALTER USER [user] WITH DEFAULT_SCHEMA = [sitename];

Note that DENY overrides GRANT (and also overrides role membership rights, including db_owner), so check to be sure someone hasn't inadvertently blocked access to the schema(s). You can start your investigation if you find any rows here:

SELECT * FROM sys.database_permissions
  WHERE class_desc = N'SCHEMA' AND [state] = 'D';

Note that permissions can apply to a user indirectly (e.g. through AD group membership or database roles), so make sure you follow the bread crumbs for any database principal with a relevant DENY...

SQL Server Permissions – Granting Permissions to an Entire Schema vs. Object

You can GRANT schema permissions that are effective for everything existing and everything that will exist in that schema.

Grant Schema Permissions

GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA :: <schema> TO <user>;

Further to that, if you want to then deny permissions on a certain object within that schema, you can do.

Denying Object Permissions

DENY INSERT ON OBJECT::<schema>.<object> TO <user>;

Best Answer

Related Solutions

Sql-server – Schemas and user permissions

SQL Server Permissions – Granting Permissions to an Entire Schema vs. Object

Related Question