Technical Article

Create Role for specific set of Objects based on a set of Conditions.

,

I am using this code for the following scenario:
In SQL Server 2005, we have a role called DB_DDLAdmin, but a user
belonging to this role will be able to modify the defination of the stored
procedure. But we don't have a DB_DDLReader role. This script will generate
a script that would create a Role and grants "View defination" permission
to all the objects qualified by the "where clause" for a specific database.

Note: Like the forum member EDogg has pointed out, one can just use

??USE [DATABASENAME]
??GO
??GRANT VIEW DEFINITION ON SCHEMA::[dbo] TO
??GO
[\code]
This approach will grant the User with a blanket permission on all the objects belonging to that schema. In fact this approach is much simpler if you are trying to grant blanket permissions on a schema. But the code below is for the Generating a code block that makes it easier to grant various permissions on a group of objects qualified by specific criteria.

Author: Shiva Challa (Challa.info)
Directions to use:
- Replace <<DBNAME>> with the database name you want to be working in. Replace 'AnyRoleNameYouWantGoesHere' with any Rolename you want.
- Make sure you generate the results in text mode (Ctrl+T), so that you can easily Copy-Paste the result set in new script window.

Note: This script can easily be modified to create similar role for all the other
types of objects in a given database.

Sample Results:


USE PerDB
GO
CREATE ROLE [db_SprocReader] AUTHORIZATION [dbo]
GO

GRANT VIEW DEFINITION ON [dbo].[usp_sproc1] TO [db_SProcReader]
GO
GRANT VIEW DEFINITION ON [dbo].[usp_sproc2] TO [db_SProcReader]
GO
GRANT VIEW DEFINITION ON [dbo].[usp_sproc3] TO [db_SProcReader]
GO
GRANT VIEW DEFINITION ON [dbo].[usp_sproc4] TO [db_SProcReader]
GO


 

/***
Purpose: 
I am using this code for the following scenario:
In SQL Server 2005, we have a role called DB_DDLAdmin, but a user 
belonging to this role will be able to modify the defination of the stored 
procedure. But we don't have a DB_DDLReader role. This script will generate 
a script that would create a Role and grants "View defination" permission
to all the objects qualified by the "where clause" for a specific database.

Note: Like the forum member EDogg has pointed out, one can just use
[code]
    USE [DATABASENAME]
    GO
    GRANT VIEW DEFINITION ON SCHEMA::[dbo] TO [USER]
    GO 
[\code]
This approach will grant the User with a blanket permission on all the objects belonging to that schema. In fact this approach is much simpler if you are trying to grant blanket permissions on a schema. But the code below is for the Generating a code block that makes it easier to grant various permissions on a group of objects qualified by specific criteria. 

Author: Shiva Challa (Challa.info)
Directions to use: 
- Replace <<DBNAME>> with the database name you want to be working in. Replace 'AnyRoleNameYouWantGoesHere' with any Rolename you want. 
- Make sure you generate the results in text mode (Ctrl+T), so that you can easily Copy-Paste the result set in new script window. 

Change history:
10/08/2008 Shiva Challa Created the Script.
12/10/2008 Shiva Challa Generalised the script for easy customization:
 - Created a @RoleName variable, one place to change the role name.
 - Used Schema_id variable to qualify the object name properly. 
 This is helpful when you have objects that belong to multiple schemas.
 - Added other types of permissions, to make it easier to generate statements quickly.
***/
USE <<DBName>>
GO
BEGIN
SET NOCOUNT ON 
DECLARE @RoleName VARCHAR(50), @PermissionType VARCHAR(50)
 SET @RoleName = 'AnyRoleNameYouWantGoesHere' 
/*** Something like DB_ViewDDLReader, DB_SprocDDLReader, DB_SpecificObjectDDLReader, you get the idea... ***/ SET @PermissionType = 'VIEW DEFINITION'
-- SET @PermissionType = 'ALTER'
-- SET @PermissionType = 'CONTROL'
-- SET @PermissionType = 'DELETE'
-- SET @PermissionType = 'EXECUTE'
-- SET @PermissionType = 'INSERT'
-- SET @PermissionType = 'RECEIVE'
-- SET @PermissionType = 'REFERENCES'
-- SET @PermissionType = 'SELECT'
-- SET @PermissionType = 'TAKE OWNERSHIP'
-- SET @PermissionType = 'UPDATE'
-- SET @PermissionType = 'VIEW CHANGE TRACKING'

SELECT 
'USE <<DBName>>
GO
CREATE ROLE [' + @RoleName +'] AUTHORIZATION [dbo]
GO ' as [-- Creating the Role]

SELECT 
'GRANT '+ @permissionType + ' ON ['+ schema_name(schema_id)+'].[' + name + '] TO [' + @RoleName + ']
GO' as [-- List of Grant statement for all the objects that meet the where condition]
FROM 
    sys.objects (nolock)
WHERE 
/***********************************************************//*** Change the below Where condition to meet your needs ***//***********************************************************/is_ms_shipped = 0
and [type] LIKE 'P'
--and [type] LIKE 'V'
--and [name] like '%RPT_%' 
Order by [schema_id],[Name]

SET NOCOUNT OFF
END

Rate

3 (3)

You rated this post out of 5. Change rating

Share

Share

Rate

3 (3)

You rated this post out of 5. Change rating