There are several Active Directory user groups in my SQL Server database environment. I changed the users' permissions on all databases on the server. Several users wanted me to give them the update permission back. I used a command like this:
Grant Update To [DomainGroup\User]
But this did not work. Now no-one can update except me. How can I resolve this?
Here is the result of the query;
principal_id sid name type usage
35 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A43140000 NETONE\ibrahim.tackin WINDOWS LOGIN GRANT OR DENY
0 0x01050000000000090400000083741B006749C04BA943C02702F2A762 public ROLE GRANT OR DENY
5 0x010500000000000904000000FD051D9B2622FA4790703C7DB2C405A8 db_executor ROLE GRANT OR DENY
6 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3AF2380000 NETONE\sql-ict-ad-rms WINDOWS GROUP GRANT OR DENY
7 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A5B2B0000 NETONE\sql-ict-ad-rms-mod WINDOWS GROUP GRANT OR DENY
28 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A292C0000 NETONE\SQLDDL WINDOWS GROUP GRANT OR DENY
32 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A352A0000 NETONE\SQLQRY WINDOWS GROUP GRANT OR DENY
33 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A5C410000 NETONE\SQLGelir-guvence WINDOWS GROUP GRANT OR DENY
34 0x0105000000000005150000008D555C5A9C99DF04AB5BAB3A5D410000 NETONE\SQLGelir-guvence-mod WINDOWS GROUP GRANT OR DENY
16384 0x01050000000000090400000000000000000000000000000000400000 db_owner ROLE GRANT OR DENY
16390 0x01050000000000090400000000000000000000000000000006400000 db_datareader ROLE GRANT OR DENY
16391 0x01050000000000090400000000000000000000000000000007400000 db_datawriter ROLE GRANT OR DENY
Best Answer
The user that has access problems is the member of many
win groups
, even if he's a member ofdb_owner
he has limited access if someonerevoke
/deny
some permissions to him or to hisgroup
.To find out restrictions you should use this query:
Here I limit the result to those
roles
/win groups
of which problem user is a member of.So your user has 3
DENY
ofUPDATE
on all database:Your user will be unable to perform any
UPDATE
until yourevoke
these denies:If you don't deny by error and the members of these 3
groups
should not be able toupdate
, you should exclude all your users that should be able toupdate
from all these 3 groups.Note you have same 3
deny
to make adelete
.The
permissions
of any user is given by the "sum" of all thepermissions
that were granted/denied to him and hisgroups
/roles
.Until your
user
is a member ofwin group
that hasupdate
denied he will not be able to update. To make him be able to update you should exclude him fromgrous
withdeny
orrevoke
deny
from thesegroups
.