September 1, 2011 at 10:05 am
I have a user who is a db_owner on a database. However, when he tries to insert to a table, it fails saying that he does not have permission to insert. It's not just this table, but in other tables too. I just couldn't figure out why. So, I removed his login and add it back but he still cannot insert. Can someone help me ? Thanks in advance.
We use SQL 2008 (Enterprise Edition) SP2 on Windows 2003 Server SP2, both 64-bit.
September 1, 2011 at 10:11 am
is there a trigger on the table that is inserting into an audit table somewhere? maybe it's permissions on the Triggers Audit table that the user has no permissions for.
Lowell
September 1, 2011 at 11:40 am
Thanks for getting back to me. There is no triggers either at table level or database level. Are there anything else I should check ?
September 1, 2011 at 11:51 am
"deny" prevails over "grant" permissions... may be the user is added to some group with deny permissions...
Cheers
September 1, 2011 at 12:04 pm
well, it's one thing to *think* he ahs db_owner, and another one to check.
run these queries in the database in question:
select
userz.name,
userz.type_desc,
decripz.name as _member_of_this_role
from sys.database_principals userz
inner join sys.database_role_members rolez
on userz.principal_id = rolez.member_principal_id
inner join sys.database_principals decripz
on rolez.role_principal_id = decripz.principal_id
is he really in the db_owner role?
next, lets EXECUTE AS that specific user and see what his permissions are:
--Change into the user and see if he's normal
EXECUTE AS USER='mydomain\ClarkKent' --or a SQl role EXECUTE AS USER='Bob'
select * from fn_my_permissions(null,'SERVER')
select * from fn_my_permissions(null,'DATABASE')
REVERT;--change back into superman.
Lowell
September 1, 2011 at 1:23 pm
Ankur, thanks for you suggestion and that was the problem - one pf the NT group has db_denywriter checked.
Thanks to all for helping me.
September 1, 2011 at 1:34 pm
Lowell, thanks for the SQL code -- the first SELECT statement -- that was very helpful so that I don't have open each NT group manually to see what's in it.
September 1, 2011 at 1:47 pm
Lowell,
When I ran the (first) SQL statement in a specific database, for some reason, it doesn't show all the users.
September 1, 2011 at 2:00 pm
jimmycjen (9/1/2011)
Lowell,When I ran the (first) SQL statement in a specific database, for some reason, it doesn't show all the users.
that might be normal, if domain users get their access from a group.
for example, TheDomain\jimmycjen might not show up, but the group TheDomain\BusinessUsers DOES show up,a dn you are part of that Active Directory Group.
Lowell
September 1, 2011 at 2:20 pm
I just found out that if no "role members" is selected in a group, even if the group exists, it won't show the group.
Thank you so much for your input.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply