There is no need to grant CONTROL
on the schema.
The permission required to DROP SCHEMA
is either CONTROL
on the schema or ALTER ANY SCHEMA
at the database level, and that is why your user was able to drop the schema. Removing these two permissions will prevent the role-associated users from creating and droping the schema (unless they have higher level permissions of course).
The required permission to CREATE
ALTER
and DROP
other objects is the CREATE
permission for the object type (table\procedure\function\view) combined with ALTER
permission on the schema.
You already have these permissions in your script, so all that you have to do is remove the CONTROL
permission. For reference, here is a BOL list of DDL
statements where You can find the required permission for all object types.
For the lazy, here is your code after removing the unnecessary permission:
CREATE ROLE myrole AUTHORIZATION dbo;
EXEC sp_addrolemember 'myrole', 'myuser';
CREATE SCHEMA myschema AUTHORIZATION dbo;
GRANT ALTER, DELETE, EXECUTE, INSERT, REFERENCES, SELECT,
UPDATE, VIEW DEFINITION ON SCHEMA::myschema TO myrole;
GRANT CREATE TABLE, CREATE PROCEDURE, CREATE FUNCTION, CREATE VIEW TO myrole;
Best Answer
Please do not grant any permission to any User outside of
EXECUTE
on a particular Stored Procedure that will do what you are wanting. GrantingALTER
on a Table or Schema allows that User to make any change they want. You want them to be able toTRUNCATE
, but granting themALTER
to a Table will allow the User to add / remove / change Columns, etc.You want to create a Stored Procedure to contain only the specific actions that you feel are permissible. Whether that is a loop that goes through all tables and executes
TRUNCATE
on each one (will reflect new and removed Tables; might need a pattern specific for the Table name, perhaps?), OR is a list of accepted Tables to be truncated (won't reflect new and removed Tables, but maybe new Tables shouldn't be included anyway), is up to you. Either way, you should retain full control over the scenarios in which the User can perform this action.Fortunately, this is fairly simple to accomplish. All you need to do is:
EXECUTE
on the Stored Procedure to the User(s) and/or Role(s) that should be able to perform theTRUNCATE
The following is the T-SQL that corresponds to the steps noted above:
That's it.