Sql-server – Giving selective permissions in a database

permissionssql-server-2008sql-server-2008-r2

I have a user [AD\dbusersgroup_limitedrights] that should have on two schema's
[ICD] and [XCD] within a database only SELECT and EXECUTE rights, however for each of the users in the [AD\dbusersgroup_limitedrights] I have created a schema with their corp initial

[DIS]
[SUB]
[TEC]

within these schemas they should have the rights to create their own tables, views and stored procedures, that are based on the [ICD] and [XCD] schemas objects.

I made the group now owner of the schema's [DIS],[SUB],[TEC] and on the other two schemas did grant them right for SELECT and EXECUTE. I also did make the group db_role db_datareader to make sure they don't get rights on other later created schema's.

However even though they are owner of their own schema they can't create objects within the schemas. I assume that this is due to the db role db_datareader.

So for such a scenario, what is best practice to give limited permissions within a database?

Best Answer

You'll have to grant them appropriate permissions at the database level to indicate what they should be able to do. Then grant ALTER permission (or make them the owner) on the schemas in which they can do these things.

GRANT CREATE TABLE, CREATE PROCEDURE TO [AD\dbusersgroup_limitedrights]
GRANT ALTER ON SCHEMA::[DIS] TO [AD\dbusersgroup_limitedrights]

Related Solutions

Sql-server – SQL Server: hierarchy of permissions for schema

Quick answer: For developers, you can GRANT CONTROL on that schema.

Background:

To see what can be GRANTed: GRANT Schema Permissions
To see what each permission means: Permissions Naming Conventions

The intersection of these two give the schema permission meanings:

CONTROL implies the rest and is the highest permissions of any securable
SELECT, DELETE, INSERT, UPDATE is DML on objects in that schema
EXECUTE to run scalar UDFs and Stored Procedures in that schema
ALTER, REFERENCES is DDL (CREATE, ALTER, DROP) on objects in that schema
VIEW DEFINITION lets folk see the code and definitions

Except for CONTROL, these are mostly orthogonal to each other: folk can EXECUTE code or SELECT, from a view but not see the definition (VIEW DEFINITION) of these.

You also have the database and server permissions which are implied higher up then CONTROL on schemas: see Permissions Hierarchy

Sql-server – DENY EXECUTE on one schema object hides other objects in same schema

Since you didn't specify any other permissions you gave or denied to the user group AD\Users, I'll assume that they are memebers of db_datareader and public and have no other specific permissions.

To perform my test, I used SQL Server 2008, not R2 and started out with a completely new user group, database, schema and stored procedures.

As sysadmin

Created a Windows Group called AD\TEST_USERS in Windows

Created a login from that Windows Group in SQL Server

Created a test database TEST

Added AD\TEST_USERS as a member of public and db_datareader on the TEST database

Created a schema called XTR

Added two stored procedures sp_1 and sp_2 to XTR

As a member of AD\TEST_USERS

Opened up SSMS

Opened up the TEST database and expanded stored procedures. Nothing was visible

As sysadmin

GRANT EXECUTE ON OBJECT::XTR.sp_1 TO [AD\TEST_USERS]
GRANT EXECUTE ON OBJECT::XTR.sp_2 TO [AD\TEST_USERS]

As a member of AD\TEST_USERS

I refreshed the stored procedures and now see XTR.sp_1 and XTR.sp_2

As sysadmin

DENY EXECUTE ON OBJECT::XTR.sp_1 TO [AD\TEST_USERS]

As a member of AD\TEST_USERS

I refresh stored procedures in SSMS and no longer see XTR.sp_1 but I do see XTR.sp2

XTR stored procedures

Doing the same steps as you on my SQL Server 2008, simply denying EXECUTE on one stored procedure did not make the other stored procedure invisible in the same schema to members of my test group.

Best Answer

Related Solutions

Sql-server – SQL Server: hierarchy of permissions for schema

Sql-server – DENY EXECUTE on one schema object hides other objects in same schema

Related Question