I have tables and views in a single database under a specific schema. For simplicity, here is an example:
- [DBXYZ].[SCHEMAXYZ].[TABLEWITHRESTRICTEDDATA]
- [DBXYZ].[SCHEMAXYZ].[SAFEVIEW1]
- [DBXYZ].[SCHEMAXYZ].[SAFEVIEW2]
I would like to grant SELECT access to a certain set of users to the views in schema "SCHEMAXYZ" but not the tables. I prefer not to grant access to specific views because it means more administrative maintenance in the future when new views are added.
I realize that one option is simply to use a different schema name for the views (e.g. "SCHEMAXYZ_VIEWS") but that is not my preference.
Is this possible?
Best Answer
You'll need to move the views to a different schema to utilize this security tom foolery.
Basically you can
GRANT SELECT
permissions on a Schema, but you are unable to limit theSELECT
privileges to views only.The workaround, as you identified, is to create a schema that only owns the views in question. This schema is also owned by the same principal that owns the base schema where the tables reside so your permissions are a little easier to manage.
Below is an example script breaking it down:
Your output should look as follows, confirming you are unable to select from the base table while having no issues selecting from the view that references it:
The beauty here is any user that is part of the
db_viewreader
role will haveSELECT
privileges to any new view you place into theviewSchema
schema automagically which is what I assume you're looking for.