I am looking to restrict SELECT/INSERT for the 60-80 tables in the database.
The database has very complex security structure, and want to restrict INSERT/SELECT for all users (and except SysAdmin, no other login should have access to those tables).
is that possible? thank you in advance.
Best Answer
By default,
SELECT
andINSERT
access will not be granted. You can REVOKE anySELECT
/INSERT
perms as follows:As Unkush said in the comment, this will only REVOKE any existing access to that explicitly granted. access can also be implictly granted via built the built in db_datareader role and other avenues such as db_owner group and schema ownership.
To harden this further, you can place a deny on the public role (which all users fall into but this won't affect sysadmins) at the database level as follows:
Here is a re-producible test:
First, set up the test db:
Then we can see how these permissions work:
Then we can run the dynamic revoke :
And test (this will leave the db_datareader perms in place)
We can then either place a deny on the entire database (a deny is the most robust way as there are various other avenues users can get SELECT permissions such as db_datareader, schema ownership, db_owner etc)
DENY SELECT ON DATABASE:: PermissionsTest TO [public];
Alternatively, you can supply a more granular DENY at a schema or table level:
DENY SELECT ON TABLE:: MyTable1 TO [public]
Running the Test again: