February 24, 2012 at 2:42 am
Hi All,
Does the db_executor database role take precedence over db_denydatawriter? This seems to be the case. If so how can I stop a user being able to write to the db whilst still letting them run the stored procs required to view the data. Don't say I have to grant/deny permissions on each proc, just don't......
February 24, 2012 at 4:27 am
db_executor must be a role which was created by yourselves as its not a standard db role.
depending on what the db_executor role rights are depends on what they can do.
if you have set db_executor to be able to execute all procs and also the user in question who is part of both roles tries to insert update delete, it shouldn't allow it as deny is greater than grant.
February 24, 2012 at 8:57 am
seems there was a lack of communication, my colleague had indeed created this role!
February 27, 2012 at 1:14 am
best to check what that role can do and then tie it back to people who are db_denydatawriter and db_executors.
in SQL a deny is higher than a grant, but in analysis services a grant is higher than a deny (just one of the backwards things in SSAS). so if the user in question is a member of each role, they shouldn't be allowed to insert/update/delete but if they are just in db_executors they can do whatever it is the role has access to do.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply