June 2, 2017 at 1:35 am
Good morning
i have a domain windows group.They may only read and write data from any database.But they may not alter anything within the database,like create a database,create or alter tables or views.
I have given then db_datareader and db_datawriter on all databases.But how do I go about to deny them any alterations?
thank you
June 2, 2017 at 2:16 am
Hi,
the one thing are DML operations, and the other are DDL operations:
DDL ==> Data Definition Language, to create table, database and so on
(https://en.wikipedia.org/wiki/Data_definition_language
DML ==> Data Manipulation Language, to reade and update some data
(https://en.wikipedia.org/wiki/Data_manipulation_language)
If you just give the user the datareader and writer, they are not able to create something new in the database.
Kind regards
Andreas
June 2, 2017 at 2:16 am
If the only permissions they have are those you mentioned, they won't be able to do the things you don't want them to. But if you're worried about them getting access, for example, through membership of another group, try DENYing ALTER permission on one or more schemas, or at the database level.
John
June 2, 2017 at 2:40 am
Thank you very much,denied the user also alter database and create database.Just to make sure they do not get access through any other group.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply