March 14, 2023 at 6:31 pm
All,
I would like to give a user permission to set system_versioning on or off on a table. I know that one way to do this is to give them control permission on the table. However I think that also gives them the ability to grant permissions and I don't think I can set a 'deny' on their ability to grant permissions?
If I understand correctly ownership chaining only applies to DML so creating a stored procedure which makes the change and allowing the user to execute that won't work?
I thought about creating a signed stored procedure which sets system_versioning on or off and giving the user the ability to execute that but I don't think that will help as that is also DML only? It also seems a complicated solution for this issue.
Is there a way of setting this up that I am missing?
Thanks
March 14, 2023 at 6:40 pm
If the proc as an appropriate "EXEC AS" clause, I would think it would work.
SQL DBA,SQL Server MVP(07, 08, 09) "It's a dog-eat-dog world, and I'm wearing Milk-Bone underwear." "Norm", on "Cheers". Also from "Cheers", from "Carla": "You need to know 3 things about Tortelli men: Tortelli men draw women like flies; Tortelli men treat women like flies; Tortelli men's brains are in their flies".
March 14, 2023 at 6:57 pm
All,
I would like to give a user permission to set system_versioning on or off on a table. I know that one way to do this is to give them control permission on the table. However I think that also gives them the ability to grant permissions and I don't think I can set a 'deny' on their ability to grant permissions?
If I understand correctly ownership chaining only applies to DML so creating a stored procedure which makes the change and allowing the user to execute that won't work?
I thought about creating a signed stored procedure which sets system_versioning on or off and giving the user the ability to execute that but I don't think that will help as that is also DML only? It also seems a complicated solution for this issue.
Is there a way of setting this up that I am missing?
Thanks
Are you talking about System Versioned Temporal Tables here?
--Jeff Moden
Change is inevitable... Change for the better is not.
March 14, 2023 at 7:03 pm
If the proc as an appropriate "EXEC AS" clause, I would think it would work.
Thank you for the suggestion. Sorry I forgot to mention this possibility in my original post. I am trying to avoid any type of impersonation.
Are you talking about System Versioned Temporal Tables here?
Thanks for your reply and yes I am.
March 14, 2023 at 9:22 pm
With the proviso that I don't know the exact situation...
The purpose of such a table is to audit what's happening to the data, no matter what. Are you absolutely sure that no one is going to "cook the books" while it's off?
--Jeff Moden
Change is inevitable... Change for the better is not.
March 15, 2023 at 8:00 pm
Can you explain further why you want to allow this user to enable/disable system versioning? As far as I am aware - the only reasons to temporarily disable versioning is to delete or truncate data or to switch data in/out of the current or history table.
There really are not any other reasons to turn it off - so why do they need to turn it off?
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
March 15, 2023 at 9:40 pm
Thanks for your replies.
In this case there are valid reasons for turning it off. We don't need an unchangeable audit.
I am also looking at using other methods for creating a history table rather than using system_versioning.
March 15, 2023 at 9:42 pm
Can you explain further why you want to allow this user to enable/disable system versioning? As far as I am aware - the only reasons to temporarily disable versioning is to delete or truncate data or to switch data in/out of the current or history table.
There really are not any other reasons to turn it off - so why do they need to turn it off?
I believe you also need to disable system versioning if you want to modify the table (add a column).
SQL DBA,SQL Server MVP(07, 08, 09) "It's a dog-eat-dog world, and I'm wearing Milk-Bone underwear." "Norm", on "Cheers". Also from "Cheers", from "Carla": "You need to know 3 things about Tortelli men: Tortelli men draw women like flies; Tortelli men treat women like flies; Tortelli men's brains are in their flies".
March 16, 2023 at 6:04 pm
Jeffrey Williams wrote:Can you explain further why you want to allow this user to enable/disable system versioning? As far as I am aware - the only reasons to temporarily disable versioning is to delete or truncate data or to switch data in/out of the current or history table.
There really are not any other reasons to turn it off - so why do they need to turn it off?
I believe you also need to disable system versioning if you want to modify the table (add a column).
Not true - you can add or drop columns without disabling system versioning. The only operations that require disabling system versioning are:
The first one falls under data retention - and there are several methods available including setting a retention policy. The other scenarios do require disabling system versioning, but those can be encapsulated in a stored procedure with appropriate execute rights - and in fact, all of the above items can be done through an appropriately permissioned procedure without having to grant additional rights to an individual or group.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
March 25, 2023 at 2:47 pm
All,
Apologies for my slow reply. Thank you for your help.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply