I gave a group (AD group) in SQL 2014, access to create, alter, delete objects in a schema [Test] in a database that they have datareader. The user testing (UserA) is able to create objects in a user schema [UserA].[Table_test]. How do I prevent this? I had to grant Create table, view, procedure to the database, but they do not have access except in schema [Test].
Sql-server – Issue with users creating objects in a user owned schema
permissionsschemasql serversql server 2014
Related Question
- Sql-server – Setting user permissions for different SQL Server schemas
- Sql-server – SQL Server: grant select access to a user in a view and not in its tables
- Sql-server – Grant access to all objects (with a few exceptions) to a role
- Sql-server – Create table permission for a user in specific schema
- Postgresql – How to allow user access to non-owned objects in Postgres
- Sql-server – Does cross-database permission chaining work for objects owned by sa/dbo
- Sql-server – How to grant permissions to allow anything inside a SQL Server schema
Best Answer
See Books Online for CREATE SCHEMA
The article above contains the following:
Implicit Schema and User Creation
In some cases a user can use a database without having a database user account (a database principal in the database). This can happen in the following situations:
- A login has CONTROL SERVER privileges.
- A Windows user does not have an individual database user account (a database principal in the database), but accesses a database as a member of a Windows group which has a database user account (a database principal for the Windows group).
When a user without a database user account creates an object without specifying an existing schema, a database principal and default schema will be automatically created in the database for that user. The created database principal and schema will have the same name as the name that user used when connecting to SQL Server (the SQL Server authentication login name or the Windows user name).
This behavior is necessary to allow users that are based on Windows groups to create and own objects. However it can result in the unintentional creation of schemas and users. To avoid implicitly creating users and schemas, whenever possible explicitly create database principals and assign a default schema. Or explicitly state an existing schema when creating objects in a database, using two or three-part object names.