November 4, 2015 at 3:12 am
Hi,
I have one windows login in the database called 'Company\developers'.A group of developers are members of this login. All the developers under this group are able to access all the objects they have permissions. But one user can not access couple of tables.
What could be the reason?
Where can I see all the users under this login and if a new developer needed to add to this group where can I add that developer to this group?
Thanks.
November 4, 2015 at 4:32 am
Hi,
You can take help of Windows admin to see and add members in this AD group because it is created on Active Directory (AD) and that is being managed by them.
Also 'Deny' permission overpower the 'Grant' permission. Hence check with help of Windows admin that user might be part of some other AD group for which certain restrictions are placed.
Cheers,
Ankur Arora
November 4, 2015 at 4:45 am
You can use xp_logininfo to enumerate the members of a group
EXEC xp_logininfo 'DOMAIN\GroupName', members;
The following will find all deny permissions on objects
select
accounts.name AS UserName,
OBJECT_NAME(major_id) AS Object,
permission_name,
state_desc
from sys.database_permissions perms
inner join sys.database_principals accounts
on perms.grantee_principal_id = accounts.principal_id
where state_desc = 'deny'
As Ankur detailed, the deny will override a grant, so take a look to see if the user has a deny or is in a group which has a deny on the objects in question
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply