Sql-server – Microsoft SQL Server – Permission to create a Snapshot

permissionssnapshotsql serverssis

I've developed a set of SSIS packages to load a data warehouse.
In order to manage any issue that may arise during package execution, each package starts by creating a snapshot of the data warehouse.

The package authenticates on my server using a login that does not belongs to the dbcreator server role.
Obviuosly with this configuration the package fails due to the lack of permission to create/drop a database.

The dbcreator server role allows a user to create/drop a database on the whole instance.
My question is: Is there a way to grant a database user the permission to create a snapshot of the given database (and only that) and eventually drop the snapshot (and only the snapshot associated to the given database)?

What are the best practices to handle this requirement?

Best Answer

Its not possible to do straight away as mentioned on MS documentation:

Permissions Any user who can create a database can create a database snapshot; however, to create a snapshot of a mirror database, you must be a member of the sysadmin fixed server role.

What I understand is - if you could have alternative in place for DB creator role, this purpose can be achieved and this has been explained very well by one of MSSQL SME Mr. Solomon Rutzky

You can achieve this by using module signing which has been explained by Mr. Tibor Nagy on this link --> https://www.mssqltips.com/sqlservertip/3336/how-to-use-module-signing-for-sql-server-security/

You can also refer the question and answer thread for better understanding of module signing at the same forum and how can this be used:

Granting a user a permission to restore a database

Execute Permissions for a Store Procedure that creates databases

https://sqlquantumleap.com/2018/02/15/safely-and-easily-use-high-level-permissions-without-granting-them-to-anyone-server-level/

More about Module signing at Microsoft:

https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008/ms345102(v=sql.100)

Hope this leads you into right direction.

Related Solutions

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

There is no need to grant CONTROL on the schema.
The permission required to DROP SCHEMA is either CONTROL on the schema or ALTER ANY SCHEMA at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course).

The required permission to CREATE ALTER and DROP other objects is the CREATE permission for the object type (table\procedure\function\view) combined with ALTER permission on the schema.
You already have these permissions in your script, so all that you have to do is remove the CONTROL permission. For reference, here is a BOL list of DDL statements where You can find the required permission for all object types.

For the lazy, here is your code after removing the unnecessary permission:

CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';

CREATE SCHEMA myschema AUTHORIZATION dbo;

GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
          UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;

GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;

Sql-server – db_owner unable to drop database – Error 615, SQL Server

I can guess you have the AutoClose option for database set to True. This is the default behavior when you create a database with Express Editions.

The mentioned error can occur exactly in this case. Actually the complete error message 615 states: "Could not find database ID %d, name '%.*ls'. The database may be offline. Wait a few minutes and try again." ... So it points that database could be closed during dropping.

So, go to DB properties, switch it to False and try again dropping it or use below script before dropping

ALTER DATABASE [MyDB] SET AUTO_CLOSE OFF 
GO

Many point out that is better to have AutoClose set to False. I found this article explaining a bit more about AutoClose: http://sqlmag.com/blog/worst-practice-allowing-autoclose-sql-server-databases

Small extension of the answer:

-- this works in standard SQL Server Editions, but NOT with Express Editions:
CREATE DATABASE [MyDB]
GO
DROP DATABASE [MyDB]
GO

-- this works in ALL SQL Server Editions
CREATE DATABASE [MyDB]
GO
ALTER DATABASE [MyDB] SET AUTO_CLOSE OFF 
GO
DROP DATABASE [MyDB]
GO

Best Answer

Related Solutions

Sql-server – Allow user to do anything within his own schema but not create or drop the schema itself

Sql-server – db_owner unable to drop database – Error 615, SQL Server

Related Question