April 5, 2011 at 1:15 am
There are several customer databases (CustomDB1, CustomerDB2,...)and one admin (AdminDB) database in the Server. I need to create such the Server/DataBase role, that has permissions to do : select, insert, update, delete, exec SP only on CustomerDB1 and AdminDB, and has no access to CusotmerDB2, CusotmerDB3 and so on.
Help!
April 5, 2011 at 1:56 am
Dear,
Keep in mind start with the minimum privileges.
🙂
Thanks
April 5, 2011 at 2:04 am
Looks to me like you want to allow the user to read and write all data, but not change the structure of the database. Grant the database role of db_datareader and db_datawriter for the databases that you desire them to have this access.
Jim
Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
April 5, 2011 at 6:55 am
You also mentioned allowig exec on all SPs...for that you can grant EXEC to a user at the schema or database level but this will also allow said user to execute all user-defined functions as well. If you only want them to execute procedures and not functions you'll have to do that one by one.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 5, 2011 at 7:04 am
As opc.three told, if you required to give permission for each sp, write an sp with UserName, Schema, and Permission parameters. Internally you can get the SPs under the schema and create a dynamic GRANT/DENY query and execute it.
_____________________________________________
One ounce of practice is more important than tonnes of dreams
April 15, 2011 at 5:46 am
In addition to permissions: : select, insert, update, delete, exec SP only on CustomerDB1 and AdminDB, the "limited user" has to has also possibility to "TRUNCATE TABLE"
From http://msdn.microsoft.com/en-us/library/ms177570.aspx I can see that the "limited user" can not do it.
I tried to apply:
CREATE PROCEDURE TruncateMyTable
WITH EXECUTE AS SELF
AS TRUNCATE TABLE
but it returns the error message:
"Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission."
How to grand truncate table permissions without granting owner rights?
Thanks a lot for all your help!
April 15, 2011 at 6:50 am
Using EXECUTE AS is the approach I have used but only when using a database user with no associated server login as a proxy. This article from Erland should get you there:
http://sommarskog.se/grantperm.html#EXECUTE_AS
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply