Create new user role

  • There are several customer databases (CustomDB1, CustomerDB2,...)and one admin (AdminDB) database in the Server. I need to create such the Server/DataBase role, that has permissions to do : select, insert, update, delete, exec SP only on CustomerDB1 and AdminDB, and has no access to CusotmerDB2, CusotmerDB3 and so on.

    Help!

  • Dear,

    Keep in mind start with the minimum privileges.

    🙂

    Thanks

  • Looks to me like you want to allow the user to read and write all data, but not change the structure of the database. Grant the database role of db_datareader and db_datawriter for the databases that you desire them to have this access.

    Jim

    Jim Murphy
    http://www.sqlwatchmen.com
    @SQLMurph

  • You also mentioned allowig exec on all SPs...for that you can grant EXEC to a user at the schema or database level but this will also allow said user to execute all user-defined functions as well. If you only want them to execute procedures and not functions you'll have to do that one by one.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • As opc.three told, if you required to give permission for each sp, write an sp with UserName, Schema, and Permission parameters. Internally you can get the SPs under the schema and create a dynamic GRANT/DENY query and execute it.

    _____________________________________________
    One ounce of practice is more important than tonnes of dreams

  • In addition to permissions: : select, insert, update, delete, exec SP only on CustomerDB1 and AdminDB, the "limited user" has to has also possibility to "TRUNCATE TABLE"

    From http://msdn.microsoft.com/en-us/library/ms177570.aspx I can see that the "limited user" can not do it.

    I tried to apply:

    CREATE PROCEDURE TruncateMyTable

    WITH EXECUTE AS SELF

    AS TRUNCATE TABLE

    but it returns the error message:

    "Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission."

    How to grand truncate table permissions without granting owner rights?

    Thanks a lot for all your help!

  • Using EXECUTE AS is the approach I have used but only when using a database user with no associated server login as a proxy. This article from Erland should get you there:

    http://sommarskog.se/grantperm.html#EXECUTE_AS

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply