Post reply

Limitations on db_ddladmin ?

  • September 24, 2008 at 4:39 am

    #198705

    One of our system suppliers was trying to run some scripts to modify tables on a new database, using passthrough via Access (2000 I assume, since that's what we use here, but its possible they were using a newer version on a laptop), and reported that that scripts kept failing, even though they should work.

    They used

    SQLServer=ODBC;DRIVER=SQL Server;SERVER=SQL008;Description=SQL Server;DATABASE=HBSMR_YO;LANGUAGE=British;UID=HBSMRuser;PWD=HBSMRuser;

    for the connection string, and the HBSMRuser login was set up with datareader, datawriter, ddladmin and public for role mappings.

    Adding db_owner to the mappings sorted the problem, but the supplier thinks they should not need the owner mapping to work with?

    Is this a case of permissions overwritten elsewhere, or limitation of passthrough? Or sometign else?

  • September 24, 2008 at 4:48 am

    #876216

    can you specify what they tried to modify? And are you sure it was in the correct database where you assigned them the ddl_admin rights to?

    from BOL:

    Members of the db_ddladmin fixed database role can run any Data Definition Language (DDL) command in a database.

    So users with these database role should be able to modify table definitions.

    ** Don't mistake the ‘stupidity of the crowd’ for the ‘wisdom of the group’! **

  • September 24, 2008 at 4:51 am

    #876220

    I think they were just resizing nvarchar fields and the like.

    Certainly had the rights for the database, but I personally didn't set these up.

  • September 24, 2008 at 6:56 am

    #876307

    Even if some one was to resize a field does it not require to be logged into a Change Request. If this is a test or dev environment I wouldn't be worried they can do it as long as it is the right thing to do if not they can always revert back...

    The_SQL_DBA
    MCTS

    "Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction and skillful execution; it represents the wise choice of many alternatives."

  • September 24, 2008 at 7:33 am

    #876344

    Its the live enviornment. Yes, we've switched the dbadmin off again, but the supplier can't understand why the alter access is denied

  • September 24, 2008 at 8:51 am

    #876431

    y not running it yourself?

  • September 24, 2008 at 9:08 am

    #876443

    Generally we don't.

  • September 24, 2008 at 9:25 am

    #876458

    Solves the problem... and you can check the script for quality control.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply