November 8, 2017 at 9:52 am
Hi,
I have an application that there are mystery deletes occurring (long story). My users would like if there was a way for me to deny the ability to delete on the SQL DB and then via a SQL script be temporarily enable these user to do deletes.
Is this possible? What are my options?
November 8, 2017 at 10:03 am
How are your users connecting to the SQL database? Do the users connect via Intergrated Security through the application, or does that application have its own Login that fulfils the requests of the user's using the application?
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
November 8, 2017 at 10:14 am
Yes if you know the login/logins at fault you can certainly script out the grant/deny permissions on the objects in question.
November 8, 2017 at 10:18 am
The users connect via integrated security.
Was thinking I could something like:
DENY DELETE ON Customers to Joe, Mary
GRANT DELETE ON Customers to Joe, Mary
November 8, 2017 at 11:03 am
Granting a user permission to do something when they have a deny permission will not work. DENY > GRANT. For that tio work, you would need to REVOKE the user's permission and then GRANT the user's permission.
One idea I have would be to create a Role and add those users to that role. That role has the DENY permission on DELETE, while all the users have the GRANT permission on DELETE. Then, if a user (albeit temporarily) requires permission to DELETE, remove them from the role and add them back afterwards.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
November 8, 2017 at 11:08 am
Thom A - Wednesday, November 8, 2017 11:03 AMGranting a user permission to do something when they have a deny permission will not work. DENY > GRANT. For that tio work, you would need to REVOKE the user's permission and then GRANT the user's permission.One idea I have would be to create a Role and add those users to that role. That role has the DENY permission on DELETE, while all the users have the GRANT permission on DELETE. Then, if a user (albeit temporarily) requires permission to DELETE, remove them from the role and add them back afterwards.
I like that idea with the roles. Modifying membership for the roles seems cleaner than messing around with object level permissions.
Sue
November 8, 2017 at 12:02 pm
Thom A - Wednesday, November 8, 2017 11:03 AMGranting a user permission to do something when they have a deny permission will not work. DENY > GRANT. For that tio work, you would need to REVOKE the user's permission and then GRANT the user's permission.One idea I have would be to create a Role and add those users to that role. That role has the DENY permission on DELETE, while all the users have the GRANT permission on DELETE. Then, if a user (albeit temporarily) requires permission to DELETE, remove them from the role and add them back afterwards.
Thanks Thom - I'm gonna give that a shot.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply