Sql-server – How to grant permissions to allow anything inside a SQL Server schema

permissionsroleSecuritysql serversql-server-2012

I have a schema called training. I have a new role called training_modify. Here are the desired permissions for users placed in that role:

Select, update, insert, and delete permissions on any object in that schema
Create any object in that schema
Drop any object in that schema
No permissions on any other object outside that schema (except for those granted through the public role
No create/drop/alter permissions for the schema itself
The role and individual users should not require membership in db_ddladmin, db_datareader, db_datawriter, or any other default security roles

In simple terms, I want the users in the role to be able to do anything they want within the schema without affecting/seeing anything outside the schema or the schema itself. What is the least privilege to grant this type of access?

My approach so far:

Create training schema with dbo as the owner
Create training_modify role with dbo as the owner
Grant all permissions on the schema to the role
Grant create objects to the role
Add a user to the role

Here is the code for the above steps:

CREATE SCHEMA training AUTHORIZATION dbo;

CREATE ROLE training_modify AUTHORIZATION dbo;

GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
          UPDATE, VIEW DEFINITION ON SCHEMA::training TO training_modify;

GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO training_modify;

EXEC sp_addrolemember 'training_modify', 'example_user';

Is this the right approach? Does it have any unintended consequences? I am most worried about how ownership chaining may affect this approach negatively with dbo being the owner of the schema and the role (as well as other schemas/objects in the DB), and the alter permission being granted on the schema.

Also:

Should dbo still own the role? or should TestOwner own both the role and the schema?
Is it accurate that if I took away the CREATE PROCEDURE and CREATE FUNCTION permissions, this would prevent any DML on objects outside the specific schema? I don't think I care if they can create procedures, although I would like them to be able to execute procedures/functions (which I think would be covered by the EXECUTE permission on the schema). If this is accurate – are there any pros/cons between this approach and changing the owner of the schema?

Best Answer

Ownership chaining is generally not something to worry about. It only implies permissions for DML (INSERT, UPDATE, and DELETE), SELECT, and EXECUTE operations. It does not allow for CREATE, ALTER, DROP, etc.

The tricky part / nuance here is that, by default, objects have a NULL owner, meaning that their ownership is implied as being the owner of the schema in which they exist. So, in this particular case, with:

the training schema being owned by dbo, and...
the training_modify user being able to create stored procedures and/or functions in the training schema,

the training_modify user, who can't do DML against a dbo. table, can simply create training.[proc] which does the DML and then execute that stored proc and it will allow for doing DML against the dbo. table.

Changing the owner of the training schema fixes this issue (assuming that you want no access to dbo. objects). You can create a database-only user (i.e. WITHOUT LOGIN) and make that user the owner of the training schema. This user will not be used for anything else; it only exists to allow the owning principal_id of the training schema to be different from that of the dbo schema, thus breaking ownership chaining.

Please note:

The documentation for CREATE ROLE states:

The owner of the role, or any member of an owning role can add or remove members of the role.

Meaning: the owner of a role does not affect ownership chaining. HOWEVER, anyone in the training_modify role probably shouldn't be able to add/remove others, so best to keep dbo as the owner of the role (not the schema).
The documentation for ALTER AUTHORIZATION, under "Special Cases and Conditions" states:

When ownership is transferred, permissions on schema-contained objects that do not have explicit owners will be dropped.

Meaning: you will need to GRANT permissions on the schema after executing ALTER AUTHORIZATION on it.
As far as pros/cons between, that depends greatly on what objects will exist in the dbo schema, how they will be accessed, and what the training is supposed to accomplish and how flexible this setup needs to be. I'm not privy to any of that info, so for now I will simply generalize by saying:
- schema owner is dbo and not allowing CREATE PROCEDURE:
  1. CON: training person cannot play with creating procs and functions
  2. ???: if training folk need access to dbo. objects, then modules can be created in training schema (CON if lots of objects and/or different actions required, else just "meh").
- changing schema owner and allowing CREATE PROCEDURE:
  1. PRO: training person can play with creating procs and functions
  2. ???: if training folk need access to dbo. objects, either explicit permissions will need to be granted to the training_modify role, allowing ad hoc access to those objects (CON), or modules need to be added to dbo schema to do that access and EXECUTE / SELECT permission can be granted on those (CON if lots of objects and/or different actions required, else just "meh").
Assuming there's not too much in the dbo. schema and/or the required access is relatively simple, I would opt for changing the schema owner and allowing for CREATE PROCEDURE, etc.

Related Solutions

Sql-server – SQL Server – DBO without Backup

Grant the user SELECT, INSERT, UPDATE, DELETE, EXECUTE and VIEW DEFINITION rights to the database (or the schema). This will grant the user the rights to all the objects within the database (or the schema).

You'll probably also need to give them rights like ALTER ANY OBJECT within the database as well so that they can modify the objects.

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

There is no need to grant CONTROL on the schema.
The permission required to DROP SCHEMA is either CONTROL on the schema or ALTER ANY SCHEMA at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course).

The required permission to CREATE ALTER and DROP other objects is the CREATE permission for the object type (table\procedure\function\view) combined with ALTER permission on the schema.
You already have these permissions in your script, so all that you have to do is remove the CONTROL permission. For reference, here is a BOL list of DDL statements where You can find the required permission for all object types.

For the lazy, here is your code after removing the unnecessary permission:

CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';

CREATE SCHEMA myschema AUTHORIZATION dbo;

GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
          UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;

GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;

Best Answer

Related Solutions

Sql-server – SQL Server – DBO without Backup

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

Related Question