Sql-server – Select permission to each table

Securitysql server

I have three schemas Production, HRecourse and Sales,tables in every week create and drop , I have six Users P_User1, P_User2, HR_User1, HR_User2 and S_User1 and S_User2. I have to grant then how i can Select permission to each table in their respective Schemas. how i tackle this scenario with SQL Scripts.

Best Answer

nstead of dropping and re-creating, why not just keep the same tables and truncate them and re-populate them? Then you don't have to mess with permissions each week.

However, if you want to keep doing this the hard way, this script might help.

SQL Server 2008+:

DECLARE @sql NVARCHAR(MAX) = N'';

;WITH [schemas] AS 
(
  SELECT id = [schema_id], name
  FROM sys.schemas 
  WHERE name IN (N'Production',N'HResource',N'Sales')
),
[users] AS 
(
  SELECT u, [schema] = s FROM 
  (
    VALUES 
    (N'HR_User1',N'HResource'),
    (N'HR_User2',N'HResource'),
    (N'P_User1', N'Production'),
    (N'P_User2', N'Production'),
    (N'S_User1', N'Sales'),
    (N'S_User2', N'Sales')
  ) AS v(u,s)
)
SELECT @sql += N'
GRANT SELECT, UPDATE, INSERT ON '
  + QUOTENAME(s.name) + '.' + QUOTENAME(t.name)
  + ' TO ' + QUOTENAME(u.u) + ';'
FROM [schemas] AS s 
INNER JOIN [users] AS u
ON s.name = u.[schema]
INNER JOIN sys.tables AS t
ON s.id = t.[schema_id];

PRINT @sql;
-- EXEC sp_executesql @sql;

If you're stuck on 2005, you'll need to make a couple of changes (and start thinking about your next move):

DECLARE @sql NVARCHAR(MAX);
SET @sql = N'';

;WITH [schemas] AS 
(
  SELECT id = [schema_id], name
  FROM sys.schemas 
  WHERE name IN (N'Production',N'HResource',N'Sales')
),
[users] AS 
(
  SELECT [user]    = N'HR_User1', [schema] = N'HResource'
    UNION ALL SELECT N'HR_User2',            N'HResource'
    UNION ALL SELECT N'P_User1',             N'Production'
    UNION ALL SELECT N'P_User2',             N'Production'
    UNION ALL SELECT N'S_User1',             N'Sales'
    UNION ALL SELECT N'S_User2',             N'Sales'
)
SELECT @sql = @sql + N'
GRANT SELECT, UPDATE, INSERT ON '
  + QUOTENAME(s.name) + '.' + QUOTENAME(t.name) 
  + ' TO ' + QUOTENAME(u.u) + ';'
FROM [schemas] AS s 
INNER JOIN [users] AS u
ON s.name = u.[schema]
INNER JOIN sys.tables AS t
ON s.id = t.[schema_id];

PRINT @sql;
-- EXEC sp_executesql @sql;

Related Solutions

Sql-server – Receiving “The SELECT permission was denied on the object” even though it’s been granted

I'm not sure here, but I'm going to go out on a limb. I think your issue might be with your DENY CONTROL record. See here about half way down the page:

Denying CONTROL permission on a database implicitly denies CONNECT permission on the database. A principal that is denied CONTROL permission on a database will not be able to connect to that database.

I realize that example is for a database, but take it one more granual level. A DENY CONTROL on a table will deny all privileges on it, I'm guessing. Do a REVOKE CONTROL to get rid of that and see if that fixes your issue.

If so, you'll have to place the user in a database role or deny them the explicit privileges against the table.

Grant create permission on a specific schema in Oracle 11g

You are correct that there is no way to grant a user create/drop/etc permissions on an entire schema. I suggest you look into proxy authentication. This basically involves altering user A to allow user B to proxy as A:

ALTER USER A GRANT CONNECT THROUGH B;

Then the connection uses user B's authentication, but gets the permissions of user A.

connect B[A]/Password@Database

This question was somewhat covered by my more specific question here.

Note on Roles: Roles work well for giving Object Privileges to another user since the privileges are tied to a specific object. While Roles can grant System Privileges, they apply either to the users own schema or to the entire database and therefore can't apply to another schema. For example, the user B could be granted CREATE TABLE which would allow it to create tables in its own schema or CREATE ANY TABLE which would allow it to create tables in any schema. These permissions could be granted directly or through a role, but the former wouldn't allow create privileges in the A schema. The latter would, but would also allow create privileges in any schema including sys, which would be a security concern.

Best Answer

Related Solutions

Sql-server – Receiving “The SELECT permission was denied on the object” even though it’s been granted

Grant create permission on a specific schema in Oracle 11g

Related Question