I'm not the member of db_datareader database role but still I'm able to do select operation on tables. In which scenario it is required to add users to this role?
How is it possible to do select operations without being the member of db_datareader?
If you are a member of another role with select granted for the object, you can do the select. db_datareader is a fixed role that bypasses select grants (you cannot revoke select for a user with db_datareader).
Related
In some documents, it is said that when you make a database user a member of a DB_owner role, you cannot revoke some permissions from that user, because in fact, by doing so, you will violate the properties of the DB_owner. But I simply made a user a member of this role and then denied the select permission from that user. The result was that the user simply cannot select from the query and view the rows. Why did this problem arise?
ALTER ROLE db_owner ADD MEMBER NewAccount
DENY SELECT ON dbo.TestTable TO NewAccount
it is said that when you make a database user a member of a DB_owner
role, you cannot revoke some permissions from that user
No that isn't correct as your experiment shows. Presumably the confusion is from the "Summary of the permission check algorithm" which says
Bypass the permission check if the login is a member of the sysadmin
fixed server role or if the user is the dbo user in the current
database.
But "dbo user" and "member of DB_owner role" are not equivalent.
For example: if user named Henry123 belongs to group h1234 i.e., LOGON\h1234\Henry123', we should revoke db_datareader role from Henry123 user but shouldn't drop user from the h1234 group.
What's the way to do it from SQL Server database?
I am new to SQL Server. Kindly provide a solution to this problem.
If the role has been given to the group and you want to remove the privilege done by a role to a member of the group without removing this user from the group, you must use the DENY command.
In your case :
DENY SELECT TO Henry123;
I'm gIven the problem:
Write a script that creates a user-defined role named VendorMaintenance in the AP database. Give update permissions to that role on the Vendors table and Select permission on the Invoice and InvoiceLineItems table. Assign the VendorMaintenance role to dbMaster.
I've looked through my textbook and came up with this incorrect solution.
USE AP
GO
CREATE SERVER ROLE VendorMaintenance
GO
GRANT UPDATE
ON Vendors
TO VendorMaintenance
GO
GRANT SELECT
ON Invoices
TO VendorMaintenance
GO
GRANT SELECT
ON InvoiceLineItems
TO VendorMaintenance
GO
ALTER SERVER ROLE VendorMaintenance ADD MEMBER dbMaster
GO
It says that VendorMaintenance isn't a user, and its not. but I need to grant these permissions to the role and then assign users to that role. Also is there a better way to write this?
For a user-defined database role, the syntax is as below. The role will be created in the current database context.
USE AP;
GO
CREATE ROLE VendorMaintenance;
GO
CREATE SERVER ROLE creates a user-defined server role, which is used to grant server-scoped permissions rather than permissions on database-scoped objects.
I've set up the following scenario:
The Demo_DB is owned by the sysadmin role. The Demo_Schema was created and is owned by Demo_Developer role. All the objects in Demo_Schema are owned and have been created by the Demo_Developer role.
AccountAdmin created a new role called Demo_Analyst, which the intent is to set up as a read-only user of the Demo_Schema tables. Demo_Developer successfully executed the following grant (assuming because it is the owner of all the tables in the Demo_Schema):
use role Demo_Developer;
grant select on all tables in schema Demo_DB.Demo_Schema to role Demo_Analyst;
However, neither Demo_Developer or event SysAdmin (which belongs to the Demo_Developer role) can execute the following:
use role sysadmin;
grant select on FUTURE tables in schema Demo_DB.Demo_Schema to role Demo_Analyst;
However, the above will execute using the AccountAdmin role. This seemed strange to me at first, but then I reasoned that maybe we won't know which future tables will be created by which owners, so we need an AccountAdmin to grant FUTURE. Is that correct?
I did some more testing and changed ownership of one of the tables in Demo_Schema to a completely different role that Demo_Developer isn't a part of. Then I tried to grant select on all tables using that Demo_Developer again (first statement above), and this time it didn't grant to all tables, but just to the tables Demo_Developer was the owner of.
So I wonder why the attempted grant on FUTURE tables doesn't work the same way - i.e. grant select on future tables owned by the grantor of the future grant.
So my question is: Why do I need an AccountAdmin to grant select on Future tables, but I can use the owner role (Demo_Developer) to grant select on all current tables?
Did you see this in the usage notes?
The MANAGE GRANTS global privilege is required to grant or revoke privileges on future objects at the database level. By default, only the SECURITYADMIN and ACCOUNTADMIN roles have the MANAGE GRANTS privilege.
I have almost 20+ Databases each db contains lot of procedure trigger view etc, also have development windows user group, i have to give view and execute privilege to the group members. Also read,write,update,delete privilege to tables. How i can give all together ?
I am using SQL 2012
At a pure guess, and assuming the AD group already has a user on the database. You'll need to replace parts in the braces ({})
USE {Your Database};
GO
--create an executor role
CREATE ROLE db_executor;
GRANT EXECUTE TO db_executor;
GO
--Add AD group to roles.
ALTER ROLE db_datareader ADD MEMBER [{Your Domain}\{The AD Group}];
ALTER ROLE db_datawriter ADD MEMBER [{Your Domain}\{The AD Group}];
ALTER ROLE db_executor ADD MEMBER [{Your Domain}\{The AD Group}];