February 10, 2016 at 9:36 am
How to provide full dml/ddl permissions on a db (all schemas,all objects including [dbo]) with out providing [db_owner] rights?
February 10, 2016 at 9:40 am
Not sure why you want to do that, surely setting all the same permissions as dbo would be the same as assigning the user to the db_owner fixed role?
Or is there something within dbo permissions that you want to omit?
February 10, 2016 at 9:51 am
Thanks. I would like to exclude the following:
Drop database
Alter/Drop db files (ndf/ldf)
View/edit/drop users/roles
Deny permissions on certificates/symmetric keys
February 11, 2016 at 1:36 am
SQL!$@w$0ME (2/10/2016)
Thanks. I would like to exclude the following:Drop database
Alter/Drop db files (ndf/ldf)
View/edit/drop users/roles
Deny permissions on certificates/symmetric keys
what all permission you want to give??
datareader,datawriter,db_executor,ddladmin will work for you i guess
February 11, 2016 at 6:03 am
User get a warning/error when alter existing table with these rights.
I've attached the screenshots of the warnings.
February 11, 2016 at 7:03 am
SQL!$@w$0ME (2/11/2016)
User get a warning/error when alter existing table with these rights.
What is the command that the user executes and what is the error/warning returned?
Membership of DB_DDLADMIN should give sufficient permissions to perform an ALTER TABLE statement.
February 11, 2016 at 8:27 am
According to this:
https://technet.microsoft.com/en-us/library/ms189612(v=sql.90).aspx
ddl_admin does not have alter table, it does seem to have alter everything else though.
Tbh I would just give the user db_owner and tell them not to delete any users, or delete the database. They won't be able to delete any mdf or ldf files if sql server us running anyway, so that one is covered off.
February 11, 2016 at 8:34 am
SQLSlammer (2/11/2016)
They won't be able to delete any mdf or ldf files if sql server us running anyway, so that one is covered off.
Are you sure about that? If you drop the database, you delete the files with it (assuming the database is online when you drop it).
John
February 11, 2016 at 8:41 am
John Mitchell-245523 (2/11/2016)
SQLSlammer (2/11/2016)
They won't be able to delete any mdf or ldf files if sql server us running anyway, so that one is covered off.Are you sure about that? If you drop the database, you delete the files with it (assuming the database is online when you drop it).
John
Well yeah, but as the dropping of databases and the deleting of files were listed as separate items I assumed the OP meant browsing through the file system and manually trying to delete the files, which you can't do if SQL server is running.
February 11, 2016 at 8:51 am
Yes, I see what you mean, although I interpreted that requirement as referring to ALTER DATABASE...REMOVE FILE and ALTER DATABASE..MODIFY FILE statements.
John
February 11, 2016 at 9:28 am
SQLSlammer (2/11/2016)
ddl_admin does not have alter table, it does seem to have alter everything else though.
This is incorrect, DB_DDLadmin provides ALTER on any schema which provides ALTER and so TRUNCATE on any table in any schema
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 11, 2016 at 9:45 am
I not sure that alter schema permissions means alter any object within that schema, I think it refers to the following:
https://msdn.microsoft.com/en-us/library/ms173423.aspx
The OP has already tried to alter a table with ddl_admin permissions and still received an error.
February 11, 2016 at 9:48 am
go test it yourself!!
ALTER ANY SCHEMA is implied by DB_DDLAdmin, this grants alter across any schema and so across any table.
I've just done exactly the same myself
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
February 11, 2016 at 10:03 am
Ok you're right, I just tried also with a test login with db_ddladmin only and I was able to truncate a table and add a column.
You have to admit the terminology "Alter Schema" is somewhat confusing though.
February 11, 2016 at 10:10 am
It's at least all documented, whatever we may think of the terminology :-).
At https://msdn.microsoft.com/en-us/library/ms191291.aspx, it shows in the SQL Server Permissions chart that ALTER SCHEMA implies ALTER OBJECT, and https://technet.microsoft.com/en-us/library/ms189612(v=sql.105).aspx states that ddladmin implies ALTER ANY SCHEMA.
Cheers!
Viewing 15 posts - 1 through 15 (of 19 total)
You must be logged in to reply to this topic. Login to reply