May 15, 2009 at 3:09 pm
One user is a member of two groups that are mapped to a database.
One group (ad\reportusers) has db_datareader and db_denydatawriter and public. The second group (ad\appusers) has db_datareader and public.
I recently had to add the ad\reportusers to the production database and because we are using log_shipping as a reporting solution (long story) and when the user who was a member of both groups tried to use Management Studio, they were getting an error stating "The SELECT permission denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'."
Im assuming this was due to the roles conflicting with each other because when I unchecked db_denydatawriter from the role, the problem went away.
Anyone know where I can find more information about this kind of stuff?
May 18, 2009 at 7:03 am
This is interesting because you cannot write to the mssqlsystemresource (resource) database, you can only read from it, so I wouldn't think that a user being in the db_denydatawriter role would have an adverse affect to any operation.
Of course, in this case you are not trying to write to the resource database (you can't anyway) so being a member of db_denydatawriter as the cause of this problem seems a little fishy.
This article doesn't provide a definitive answer to this problem but does explain the security model.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply