February 26, 2008 at 1:09 pm
Here is the scenario.
A user is a database owner, but has no access at all to master database. Now, the user would like to execute one stored procedure in master database. We only want to grant the execute permission to the user, but does not want to grant anything else, such as public.
What is the best way to do it?
Any input will be greatly appreciated.
February 26, 2008 at 1:46 pm
SQL ORACLE (2/26/2008)
Here is the scenario.A user is a database owner, but has no access at all to master database. Now, the user would like to execute one stored procedure in master database. We only want to grant the execute permission to the user, but does not want to grant anything else, such as public.
What is the best way to do it?
Any input will be greatly appreciated.
GRANT EXECUTE ON [ObjectName] TO [User]
February 26, 2008 at 8:34 pm
It is correct in syntax, but the user must be created in master database.
As described in my question, the user does not have any other access to master database. We do not want to this account to hold public permission to view anything in master database.
February 26, 2008 at 8:37 pm
Make a custom role in the database, grant execute to the role, and then give the user access to that role.
February 27, 2008 at 10:47 am
SQL ORACLE (2/26/2008)
Here is the scenario.A user is a database owner, but has no access at all to master database. Now, the user would like to execute one stored procedure in master database. We only want to grant the execute permission to the user, but does not want to grant anything else, such as public.
What is the best way to do it?
Any input will be greatly appreciated.
Is this a system sproc, originally found in master, or a custom-made sproc?
If the latter, may I suggest you create it in model db instead? master db is generally not a good place for user code.
See:
http://www.sqlservercentral.com/Forums/Topic457280-149-1.aspx
__________________________________________________________________________________
SQL Server 2016 Columnstore Index Enhancements - System Views for Disk-Based Tables[/url]
Persisting SQL Server Index-Usage Statistics with MERGE[/url]
Turbocharge Your Database Maintenance With Service Broker: Part 2[/url]
February 27, 2008 at 10:57 am
Ummm... neither is Model...
--Jeff Moden
Change is inevitable... Change for the better is not.
February 28, 2008 at 9:03 am
No don't create it in the model database as this acts as a template for user DBs to be created and your procedure will be created in all your new databases then. check if its a system procedure and then give necessary permissions only to master database.
Cheers,
Sugeshkumar Rajendran
SQL Server MVP
http://sugeshkr.blogspot.com
March 2, 2008 at 8:40 am
Sugesh Kumar (2/28/2008)
No don't create it in the model database as this acts as a template for user DBs to be created and your procedure will be created in all your new databases then. check if its a system procedure and then give necessary permissions only to master database.
Sugesh, you are right, I hadn't thought this through carefully enough.
It looks like one cannot avoid defining a generic custom object in at least one user database in every instance, and then have a way of referring to it from every other database, either as db_name.schema_name.object_name or as some kind of SYNONYM equivalent.
In the past I have placed such objects in master, but I have learned recently that this may not be a good idea.
Can people give some feedback as to why master is not a good choice?
__________________________________________________________________________________
SQL Server 2016 Columnstore Index Enhancements - System Views for Disk-Based Tables[/url]
Persisting SQL Server Index-Usage Statistics with MERGE[/url]
Turbocharge Your Database Maintenance With Service Broker: Part 2[/url]
March 2, 2008 at 9:25 am
The problem is, that YOU don't own Master... Microsoft does. They can put or remove anything they like, including code that doesn't belong to them, during any service pack or hot fix. Futher, unless you're really careful about what you name things, you could actually prevent a hot fix or sp from being installed or MS could just overwrite your stuff without any notification that it did.
At the very least, you need to very that all YOUR stuff is still in Master after every hot fix or sp and that the hot fix or sp actually works.
Think of it this way... if you make a change to your car's engine, you void the warranty...
--Jeff Moden
Change is inevitable... Change for the better is not.
March 2, 2008 at 10:12 am
Why does it have to be in master?
You cannot add the user to master without them being a member of public. That's a fundamental construct in SQL Server.
You can have a proc in another database that references objects in master or you can context switch (EXECUTE AS) to avoid giving rights, but you cannot add a user to master without them being a part of public.
March 3, 2008 at 12:06 am
Actually, you hit the nail on the head, Steve... there should be a database for utilitlity functions of this nature. I suggest the name of UTILITY? 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
March 3, 2008 at 1:23 pm
Steve Jones - Editor (3/2/2008)
You cannot add the user to master without them being a member of public.
Steve,
Sorry, I'm missing the point, can you elaborate? What are the implications of this?
Is it that such a user would be given unwarranted access to other resources in master?
__________________________________________________________________________________
SQL Server 2016 Columnstore Index Enhancements - System Views for Disk-Based Tables[/url]
Persisting SQL Server Index-Usage Statistics with MERGE[/url]
Turbocharge Your Database Maintenance With Service Broker: Part 2[/url]
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply