Sql-server – Create table permission for a user in specific schema

permissionsschemaSecuritysql server

I want to give Create , alter and drop permission to user A on a schema1 of a database.
I guess this question has been already asked, and what i have found is to Grant Alter to the schema and also grant create table to the User A:
GRANT ALTER, DELETE, EXECUTE, INSERT, SELECT, UPDATE ON SCHEMA::schema1 TO user A;

GRANT CREATE TABLE TO User A;

If this is right then , will the userA will be able to create table on other schemas too?

Best Answer

I want to give Create , alter and drop permission to user A on a schema1 of a database

The safe way to do this is to make A owner of that Schema.

Granting a user the ability to alter another user's schema gives that user the ability to SELECT, INSERT, UPDATE and DELETE rows in any table owned by the owner of that schema. This is called "Ownership Chaining" and it's what makes Views and Stored Procedures really simple ways to control security, as a user who has permissions on a View or Stored Procedure does not need to be granted permissions on the underlying Table, so long as the View/Proc is has the same owner as the Table.

However in this scenario you can easily create a security hole with Ownership Chains. Generally you never want a user to be able to create objects that will be owned by a different (and especially a privileged) user.

EG, just granting CREATE TABLE, ALTER, and INSERT creates a security hole:

use master
--drop database security_test
go
create database security_test
go
use security_test 
go

create schema schema1 authorization dbo
go
create user A without login
go
grant create table to A
grant alter, insert on schema::schema1 to A
go
create table dbo.secret(id int, msg varchar(200))
insert into dbo.secret(id,msg) values (1, 'secret data')
go
execute as user='A'

create table schema1.foo(id int)

go
create trigger t on schema1.foo after insert
as
begin
  select * from dbo.secret 
end

go

insert into schema1.foo(id) values (1)


go

revert

outputs

id          msg
----------- -----
1           secret data

Related Solutions

Grant create permission on a specific schema in Oracle 11g

You are correct that there is no way to grant a user create/drop/etc permissions on an entire schema. I suggest you look into proxy authentication. This basically involves altering user A to allow user B to proxy as A:

ALTER USER A GRANT CONNECT THROUGH B;

Then the connection uses user B's authentication, but gets the permissions of user A.

connect B[A]/Password@Database

This question was somewhat covered by my more specific question here.

Note on Roles: Roles work well for giving Object Privileges to another user since the privileges are tied to a specific object. While Roles can grant System Privileges, they apply either to the users own schema or to the entire database and therefore can't apply to another schema. For example, the user B could be granted CREATE TABLE which would allow it to create tables in its own schema or CREATE ANY TABLE which would allow it to create tables in any schema. These permissions could be granted directly or through a role, but the former wouldn't allow create privileges in the A schema. The latter would, but would also allow create privileges in any schema including sys, which would be a security concern.

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

There is no need to grant CONTROL on the schema.
The permission required to DROP SCHEMA is either CONTROL on the schema or ALTER ANY SCHEMA at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course).

The required permission to CREATE ALTER and DROP other objects is the CREATE permission for the object type (table\procedure\function\view) combined with ALTER permission on the schema.
You already have these permissions in your script, so all that you have to do is remove the CONTROL permission. For reference, here is a BOL list of DDL statements where You can find the required permission for all object types.

For the lazy, here is your code after removing the unnecessary permission:

CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';

CREATE SCHEMA myschema AUTHORIZATION dbo;

GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
          UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;

GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;

Best Answer

Related Solutions

Grant create permission on a specific schema in Oracle 11g

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

Related Question