January 11, 2010 at 11:46 am
Hey,
My last question didnt get much help so I thought I would ask a more direct one with less parts. How do I enable 'Allow modifications to be made directly to the system catalogs' with SQL?
Thanks
January 11, 2010 at 11:52 am
since 2005, it's no longer possible. the old SQL 2000 syntax is ignored.
what is it you think you want to change, that cannot be done with the normal commands?
Lowell
January 11, 2010 at 12:10 pm
First thanks for the reply,
Secondly I am trying to delete access to Object Permissions for the public user. (I am not worried about the side affects, it has to be done) The SQL comman I am using deletes all of the Object Permissions for public accept 26 Now I have read that if I dont enable the Allow modifications to be made directly to the system catalogs' I cant delete them all and I am assuming this is the problem which I am facing. Is there a work around in 2005 or Am I just screwed?
January 11, 2010 at 12:17 pm
Thats 26 is the number of Object Permissions sorry I should have clarrified that!
January 11, 2010 at 12:21 pm
lets look at the details....show us the SQL you are using to identify objects you want to take away access from; that will really let us help you better.
if it is things like views for sysobjects or something like that, that would be an example of a change you cannot make.
from BOL:
http://msdn.microsoft.com/en-us/library/bb669065.aspx
The public Role
The public role is contained in every database, which includes system databases. It cannot be dropped and you cannot add or remove users from it. Permissions granted to the public role are inherited by all other users and roles because they belong to the public role by default. Grant public only the permissions you want all users to have.
Lowell
January 11, 2010 at 12:31 pm
USE [database name]
SELECT u.name 'User', o.name 'Object', p.permission_name 'Action'
FROM sys.database_permissions p, sys.database_principals u, sys.all_objects o
WHERE o.object_id = p.major_id
AND p.grantee_principal_id = u.principal_id
AND p.grantee_principal_id IN (0, 2)
ORDER BY u.name, o.name, p.permission_name
It is displaying a list of SELECT and EXECUTE.I can delete all except the last 26 which are a mix of the two.
January 11, 2010 at 12:49 pm
Use the REVOKE statement to remove permissions.
Example
REVOKE SELECT on SomeTable TO Public
Specific statement depends on what the objects are.
Directly editing the system tables, even on SQL 2000, was just asking for a corrupt database. I had to clean up often enough after people who just wanted to quickly edit the system tables and not care about the side effects (which can be a completely unusable database if you're not careful)
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
January 11, 2010 at 12:57 pm
What is the purpose of removing that access from the public role? What is it you are trying to accomplish here?
Take a look at VIEW DEFINITION in books online. I think that might be what you are trying to get at.
Jeffrey Williams
“We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”
― Charles R. Swindoll
How to post questions to get better answers faster
Managing Transaction Logs
January 11, 2010 at 1:39 pm
- I already have the Revoke applied my code uses a cursor to run through each Object name. Unfortuantly though there are a few that its not sufficent to delete. I appriciate your concern, but I implied i dont care about the side effects to avoid a lecture. Plus I am Installing the SQL and running this script to set it up. No unfourtnate DBA's or SA's will get stuck cleaning it up.
-I have to delete these permissions from the user, beause its a secure system. So we cannot allow anyone assigned to Public to have any access.
January 11, 2010 at 3:22 pm
ok i think i'm following along; i created a brand new database in SQL 2005, and ran the following script to generate the revoke statements; i think the difference for me is i'm specifically getting the schema name of the objects as well, and that is allowing me to drop access to things like sys.all_columns:
--CREATE DATABASE [SandBox]
GO
USE [SandBox]
SELECT
'REVOKE ' + convert(varchar(50),x.[Action])
+ ' on ' + x.[Schema]
+ '.' + convert(varchar(50),x.[Object])
+ ' TO ' + convert(varchar(50),x.[User]) COLLATE Latin1_General_CI_AS
FROM (
SELECT
u.name COLLATE Latin1_General_CI_AS AS 'User',
schema_name(o.schema_id) As 'Schema',
o.name COLLATE Latin1_General_CI_AS AS 'Object' ,
p.permission_name COLLATE Latin1_General_CI_AS AS 'Action'
--into tmp
FROM sys.database_permissions p, sys.database_principals u, sys.all_objects o
WHERE o.object_id = p.major_id
AND p.grantee_principal_id = u.principal_id
AND p.grantee_principal_id IN (0, 2)
) X
Lowell
January 11, 2010 at 10:04 pm
Lowell (1/11/2010)
since 2005, it's no longer possible. the old SQL 2000 syntax is ignored.
Just for the record, it is still possible (and documented). I'm not going to go into details on this particular thread though 😉
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
January 11, 2010 at 10:22 pm
yeah i had read an article about how to update 2005+ system catalogs as well; after all, service packs need the ability to do it, so it has to exist, it's just no so obvious any more.
Lowell
January 11, 2010 at 10:24 pm
Lowell (1/11/2010)
ok i think i'm following along; i created a brand new database in SQL 2005, and ran the following script to generate the revoke statements; i think the difference for me is i'm specifically getting the schema name of the objects as well, and that is allowing me to drop access to things like sys.all_columns:...
Nice script Lowell. I also like that the script does not immediately execute the Revoke statements.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
January 12, 2010 at 8:57 am
Hey guys,
Thanks for the response they are really helping. When I incorporated searching for the schema instead of just using sys. I was actually able to knock 26 down to 21. Then as silly as this sounds one of my variables needed to be lengthened in order and that brought it down to 20. However, I am still trying to get ride of those last few! Paul would you at least be willing to point me towards some resources to help me figure out how to enable 'allow modifications to be made directly to the system catalog'?
Thanks,
January 12, 2010 at 9:05 am
Lowell's script worked just fine for me.
Perhaps if you were to share the script you are using and details of the objects which aren't working...?
You really don't want to modify the system catalogues directly. Even if you think you do. 🙂
Paul White
SQLPerformance.com
SQLkiwi blog
@SQL_Kiwi
Viewing 15 posts - 1 through 15 (of 28 total)
You must be logged in to reply to this topic. Login to reply