Sql-server – Simple question about schema (is this supposed to happen?)

schemasql serversql-server-2012

I've created a simple database, a table, a schema, and a table with that schema ( so, 2 tables ).

--sysadmin
create database dba_schema
go

use dba_schema 
go

create table tabela1 ( id int ) 
go

--LOGIN---------------------------------------------  
USE [master]
GO
CREATE LOGIN [schema_user] WITH PASSWORD=N'schema_user', 
DEFAULT_DATABASE=[dba_schema], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
USE [dba_schema]
GO
CREATE USER [schema_user] FOR LOGIN [schema_user]
GO
USE [dba_schema]
GO
ALTER USER [schema_user] WITH DEFAULT_SCHEMA=[dbo]
GO

( Manually I gave read, write and DLL permissions )
------------------------------------------------

create schema schema1
go

create table schema1.tabela1 ( id int ) 
go

Then I connected with the user schema_user ( that has now only read, write, and ddl permission ).

But, even not giving permission to that schema, I could select both tables ( dbo schema, and the schema I've created )

select * from dbo.tabela1

select * from schema1.tabela1

Is this supposed to happen? I thought that, when we create a schema, we should GRANT permission to that schema, for a user to select from it, but as I see, after creating a schema, we should DENY permission on it, for user not to select. Is this approach right? Its default schema is DBO.

Best Answer

I would confirm that you are connecting using the correct login, and that you have not incorrectly assigned some other permission.

I executed the script that you provided above, and then used execute as to test the select permissions and received SELECT permission denied errors for both (as I would expect).

Adjusted comments slightly, but the following I received what I expected (SQL Server 2012)

/* Create new database */
CREATE database dba_schema
GO

use dba_schema 
GO

/* Create new table in dbo schema */
CREATE TABLE dbo.tabela1 ( id int ) 
GO

/* Add new login */  
USE [master]
GO
CREATE LOGIN [schema_user] WITH PASSWORD=N'schema_user', 
DEFAULT_DATABASE=[dba_schema], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

/* Add new user */
USE [dba_schema]
GO
CREATE USER [schema_user] FOR LOGIN [schema_user]
GO

/* Set default schema for user */
USE [dba_schema]
GO
ALTER USER [schema_user] WITH DEFAULT_SCHEMA=[dbo]
GO

/* Create new schema */
CREATE SCHEMA schema1
GO

/* Add new table to new schema */
CREATE TABLE schema1.tabela1 ( id int ) 
GO

/* Impersonate the new login of schema_user and query the tables */
EXECUTE AS LOGIN = 'schema_user';
/* Confirm we've impersonated correctly */
SELECT SUSER_NAME();
/* Run the selects */
SELECT * FROM dbo.tabela1;
SELECT * FROM schema1.tabela1;
REVERT;

Related Solutions

SQL Server – Setting User Permissions for Different Schemas

The basic concept is to use GRANT/DENY Schema Permissions. You can efficiently manage permissions by creating a role and then adding members to it.

Below is an example that will explain you in detail

use master
go
--Create Logins
CREATE LOGIN UserA WITH Password='UserA123';
go
CREATE LOGIN UserB WITH Password='UserB123';

use AdventureWorks2008R2
go
--Create Database Users
CREATE USER UserA;
go
CREATE USER UserB;
go
--Create the Test Schemas
CREATE SCHEMA SchemaA AUTHORIZATION UserA
go
CREATE SCHEMA SchemaB AUTHORIZATION UserB
go

-- create test tables
create table schemaA.TableA (fname char(5))
go
insert into schemaA.TableA (fname) values ('Kin-A')
go

create table SchemaB.TableB (fname char(5))
go
insert into SchemaB.TableB (fname) values ('Kin-B')
go

Now test :

--Test for UserA in SchemaA
EXEC('select * from schemaA.TableA') AS USER = 'UserA'
go
--Kin-A

-- Test for UserB in SchemaB == this should fail
EXEC('select * from SchemaB.TableB') AS USER = 'UserA'
go
--Msg 229, Level 14, State 5, Line 1
--The SELECT permission was denied on the object 'TableB', database 'AdventureWorks2008R2', schema 'SchemaB'.

Now create Stored Procedures :

CREATE PROCEDURE SchemaB.proc_SelectUserB
AS
    select * from schemaA.TableA;
go
create procedure schemaA.proc_SchemaA
as 
    select * from schemaA.TableA

Now Grant execute permissions to UserA on schemaB's SP

GRANT EXECUTE ON OBJECT::[SchemaB].[proc_SelectUserB] TO [UserA] 
go

Test it .. to see if UserA is able to run SP from schemaB. This will PASS

EXECUTE AS LOGIN='UserA';
    Exec SchemaB.proc_SelectUserB;
    revert;
go
--- Kin-A

But UserA wont be able to see data from SchemaB

EXECUTE AS LOGIN='UserA';
    select * from SchemaB.TableB
revert;
go

--- Msg 229, Level 14, State 5, Line 3
--- The SELECT permission was denied on the object 'TableB', database 'AdventureWorks2008R2', schema 'SchemaB'.

Alternatively you can use DATABASE ROLE and just add users to it for better manageability of permissions:

EXEC sp_addrole 'SchemaBUsesSchemaAProc'
go
EXEC sp_addrolemember 'SchemaBUsesSchemaAProc','UserA';
go

Below statement will make sure that UserA is able to see schemaA and NOT schemaB. The good thing is that you can just add users to SchemaBUsesSchemaAProc role and they will inherit all the permissions granted to that role.

GRANT SELECT ON SCHEMA::SchemaA TO SchemaBUsesSchemaAProc;
go

If you only want to allow UserA to execute SP's which are owned by SchemaB then below statement will do the job:

GRANT EXECUTE ON OBJECT::[SchemaB].[proc_SelectUserB] TO [SchemaBUsesSchemaAProc] 
go

This way, UserA is not able to see SchemaB's tables, but still can execute procs from SchemaB.

Below will explain the permission hierarchy :

enter image description here

Sql-server – SQL Server user cannot select from a table it just created

Granting schema modification is not, and should not be, the same as granting DML rights. Grant the user the exact rights that user needs, including 'SELECT', etc, as necessary.

See https://msdn.microsoft.com/en-us/library/ms178569.aspx for details.

Best Answer

Related Solutions

SQL Server – Setting User Permissions for Different Schemas

Sql-server – SQL Server user cannot select from a table it just created

Related Question