Deny the 'drop database' right to a user with dbcreator server role
-
Hey guys,
Hopefully a quickie.
I hahve a user who wants to restore databases from a specific folder.
I've got most of it figured but want to revoke the 'dbcreator' access of allowing database deletion.
DENY DELETE TO {user} - doesnt work.
Advise please
Adam Zacks-------------------------------------------Be Nice, Or Leave
-
Allocate the rights to "ROLE", not user.
-
Thanks for your reply.
Can you explain what you mean?
Adam Zacks-------------------------------------------Be Nice, Or Leave
-
something like this example might help.
I'm creating 3 roles...one that is almost-but-not-quite-admin, one for regular users, and a third to explicity deny deletion rights.
i then assign various users to those roles so that together, they give or take away the permissions i want them to have.
--create the Role for my Dev guysCREATE ROLE [WhateverDEVAdmins]ALTER AUTHORIZATION ON SCHEMA::[db_ddladmin] TO [WhateverDEVAdmins]ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVAdmins]ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVAdmins]--create role for my normal usersCREATE ROLE [WhateverDEVUsers]ALTER AUTHORIZATION ON SCHEMA::[db_datareader] TO [WhateverDEVUsers]ALTER AUTHORIZATION ON SCHEMA::[db_datawriter] TO [WhateverDEVUsers]--assign my two admins to my more powerful roleEXEC sp_addrolemember N'WhateverDEVAdmins', N'bob'EXEC sp_addrolemember N'WhateverDEVAdmins', N'jeff'--assign my ordinary role to the login for network usersEXEC sp_addrolemember N'WhateverDEVUsers', N'NT AUTHORITY\Authenticated Users'--create the Role to prevent deletionsCREATE ROLE [WhateverPreventDeletions]--prevent my almost-admins from deleting dataDENY DELETE TO [WhateverPreventDeletions]EXEC sp_addrolemember N'WhateverPreventDeletions', N'bob'EXEC sp_addrolemember N'WhateverPreventDeletions', N'jeff'Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible! -
Hey Lowell,
Cool avatar btw. I have already tried DENY DELETE TO {user} and it doesnt work (my guess is that for some reason the DBCREATOR server role overwrites it}. Any other ideas?
Basically all the user needs to do is restore one database withe the same backup file over and over again...
Thought this would be simple(s)
Adam Zacks-------------------------------------------Be Nice, Or Leave
-
doh i'm sorry; i jumped to conclusions and thought the question was "how to assign/deny permissions to a role" ; Lemme test a couple of thoeries and i'll post the results.
I belive I have an example of a "normal" user calling a stored procedure, and the stored procedure (in master) runs with EXECUTE AS for elevated permissions to restore a database.
I need to make sure it still works, but that was how I did it before....so the end user never had dbowner/creator rights at all.
Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply