I have a SQL Server 2012 instance with a few databases. In one of them I created a view, that selects tables in more than a database.
I want a user to be able to select that view, but it must not select its tables. The view was created exactly because the user can't select the tables.
I've read https://stackoverflow.com/questions/368414/grant-select-on-a-view-not-base-table and http://msdn.microsoft.com/en-us/library/ms188676.aspx and still it is not working.
If I do a GRANT SELECT TABLE TO USER
to all tables, the user is able to select the view. But if I revoke to any table, it fails.
This should be a easy procedure to do, but I'm having trouble to make it work. I've seen it happen before (the owner of a instance gave me access to a view and didn't do it to its tables) but I'm unable to do it or find somebody who knows how.
Could somebody provide me a tutorial on how to do it, or a code example?
When the user SELECTs
the view I get the message:
The SELECT permission was denied on the object
<TABLE>
, database<DB>
, schemadbo
.
If I grant select to that table, the error message changes the table name to another table the view reads.
Best Answer
If you want users to select from the view, why are you granting to the table? By "revoke" do you mean explicitly revoke/deny? Deny will override grant so there's your problem... you should be able to accomplish this by adding grant to the view and not doing anything either way on the tables.
Here's a quick example where
SELECT
has not been explicitly granted on the table, but has been on the view. The user can select from the view but not the table.Note that this assumes
foo
has not been granted elevated privileges through explicit permissions on the schema or database, or through role or group membership.Since you are using tables in multiple databases (sorry I missed the end of that first sentence initially), you also may need explicit grants on the table(s) in the database where the view does not exist. In order to avoid granting select to the table(s), you could create a view in each database, and then join the views.
Create two databases and a login:
In database
d1
, create a user, then create a table and a simple view against that table. Grant select to the user only against the view:Now, in the second database, create the user, then create another table and a view that joins that table to the view in
d1
. Grant select only to the view.Now launch a new query window and change the credentials to be for the login
blat
(EXECUTE AS
does not work here). Then run the following from the context of either database, and it should work fine:These should both yield Msg 229 errors:
Results: