I have a vendor solution that uses a sql server (2008r2) database. We are allowed to do anything we want in our own schema, but cannot modify dbo objects without vendor permission. Any customization we make is in our own schema (cust). We have full control of this server and have always allowed sysadmin rights to any developer. Lately, I've noticed these rules have not been followed, so I want to see if I can set up permissions to stop this in the first place.
Here is what I would like to accomplish:
Tables: read/write to all, alter cust schema only, view design
Views/Sprocs/Functions: view any definition, create or alter cust schema only
I created a new user (dev) and applied the following:
deny alter on schema::dbo to dev
grant alter on schema::custom to dev
grant view definition to dev
Will this accomplish what I want, or am I missing something else?
Solution (thanks to AMtwo)
use master
go
create login dev with password = 'test', check_expiration = off, check_policy = off
grant control server to dev
use CustomerDB
go
if not exists(select * from sys.database_principals where name = 'dev') begin
create user dev for login dev
grant select, insert, update, delete, execute, alter on schema::custom to dev
grant view definition to dev
deny alter on schema::dbo to dev
-- deny other schemas here
end`
Best Answer
The
sysadmin
privilege effectively short-circuits any other permissions. If a user is a member of thesysadmin
fixed server role, then anyDENY
permissions will be ignored.You can work-around this by revoking
sysadmin
and instead using theCONTROL SERVER
permission.CONTROL SERVER
is similar to thesysadmin
fixed server role, except thatCONTROL SERVER
will obeyDENY
permissions.If you want to completely undo the developers' need to have high-level access on the server (which is a pretty good idea), then you could take two approaches:
Grant wide access to the database, then explicitly deny permissions on dbo.
Explicitly grant just the permissions the users require; do not grant
ALTER
permission indbo
.Ultimately, you want to follow (or be close to) the principal of least privilege. But you also have to balance complexity and manageability.
I'd suggest you create a few test scenarios to test your permissions when running as dev, so that you can make sure the user has the right permissions. You can do this using
EXECUTE AS LOGIN
: