I'm looking to create a database role within a database that allows the developer members of that role the ability to create/alter/drop procedures and functions. I do not want them to be able to create/alter/drop tables though, that is managed by a different team.
I found GRANT CREATE PROCEDURE/TABLE/FUNCTION, but I'm not able to allow them to ALTER/DROP the procedures/functions as well.
I have also tried:
CREATE ROLE developer
GRANT VIEW DEFINITION ON database::MyDb TO developer
GRANT ALTER ON DATABASE::MyDb TO developer
-- Above allows modification of procedures/functions, but also tables
DENY CREATE TABLE ON DATABASE::MyDb TO developer
-- Above denies create table, can still alter/drop tables, which I also want to prevent
Related
There is a table created by a Sysadmin. I would like both Sysadmin and Analyst role to be able to drop, modify, or replace the same table if possible. I understand we can change ownership of the table, but if both roles can drop, modify, or replace the table, that would be great.
This ANALYST role has limited access to snowflake databases and has following grant privileges:
USAGE (Databases)
CREATE TABLE, CREATE VIEW and USAGE (Schemas)
DELETE, INSERT, SELECT and UPDATE (Tables and Views)
Regarding Ownership: You are right, only one role can be the owner of an object at one particular point in time.
However, you can have several roles, which are able to DROP, MODIFY and REPLACE the same table. This can be achieved by either
Assigning the same privileges to the roles with two separate GRANT statements
Assigning Role A to Role B so that Role B is inheriting all the privileges from Role A
In SnowFlake, I want to provide access kind ofddl_admin in sql server to a user or role who can drop any tables in schema regardless anybody else is the owner of the table.
There is no concept of having a super role in Snowflake. Everything has to go by access hierarchy.
However, if all the roles are granted to ACCOUNTADMIN role then no matter which user creates the table, that can be dropped by ACCOUNTADMIN.
I got a request from our developers that,
They need a new user that need rights to create new databases
Alter those but should not be able to access the existing ones.
What's best practice for this kind of access?
Grant dbcreator and deny access on existing ones or is there a better way?
The SQL Server dbcreator doesn't give you rights to access databases by default. It might seem that way because when you create a new database, you are (often, unless specified otherwise) automatically owner of said database. And the owner of a database can do everything in said database.
But if a login has the server role of dbcreator, they can still drop databases that they do not own. They can create new databases or alter existing ones.
If your intention is to purely allow them to create new databases and manage only these. You should only give them the create permission.
USE MASTER
GO
GRANT CREATE ANY DATABASE TO Foo
GO
This still allows them to run ALTER statements to the databases they create (because they are owner of said databases). But not run alter (or drop) statements against existing databases.
USE MASTER
GO
CREATE DATABASE [OwnedDB] --Succeeds
GO
ALTER DATABASE [OwnedDB] SET RECOVERY SIMPLE WITH NO_WAIT --Succeeds
GO
ALTER DATABASE [UnownedDB] SET RECOVERY SIMPLE WITH NO_WAIT --Fails due to permissions
GO
SNOWFLAKE: Is it possible to grant a ROLE CREATE TEMPORARY TABLES but not PERMANENT tables?
The following snippet would not allow a role to CREATE TABLE, but allow CREATE TEMP tables. Also, the third command does not exist/work.
GRANT ALL PRIVILEGES ON SCHEMA myDB.mySchema TO ROLE myRole;
REVOKE CREATE TABLE ON SCHEMA myDB.mySchema FROM ROLE myRole;
GRANT CREATE **TEMPORARY** TABLE ON SCHEMA myDB.mySchema FROM ROLE myRole;
I can see many use cases where we want to limit a class of users from creating perm tables, but allow them to use scratch data.
That feature you are asking for is SNOW-62117 for reference, please ask about that with Snowflake Support.
Another option to consider for users to use scratch data is for an admin to create Views for scratch data.
https://docs.snowflake.net/manuals/sql-reference/sql/create-materialized-view.html
Or check out the data exchange to administer what types of scratch data you can use, depending on the use case. https://docs.snowflake.net/manuals/sql-reference/sql/create-materialized-view.html
Hope that helps!
How can I Grant some users permission to drop and create a single table only in the SQL 2005 database accessed by our VB.net 2005 Win app?
Some articles suggest Granting Control rights to the table but I cannot make this work. If you think this is teh way to go, can you show me the correct syntax?
You cannot assign DROP or CREATE permissions on a single table, as those are schema and database level permissions:
DROP TABLE requires ALTER permission on the schema to which the table belongs, CONTROL permission on the table, or membership in the db_ddladmin fixed database role.
CREATE TABLE requires CREATE TABLE permission in the database and ALTER permission on the schema in which the table is being created.
If the user has control permissions on the table they may be able to drop it, but you would not be able to create it again. There are two approaches that you could take depending on your requirements:
If you simply need to change the structure of the table, you should use the TRUNCATE TABLE statement to delete all the records (without logging) and then use the ALTER TABLE statement to add/remove columns.
If you really want the user to be able to drop and then create the table again you will need to create the table in a different schema and assign the user the correct permissions for that schema. See this article about using schemas in MS SQL to get you started. Once you have the table in a separate schema you can grant the db_ddladmin role for the new schema to the user and they should be able to create and delete only tables in that schema.
Use this:
DENY ALTER ON SCHEMA::dbo
But this doesn't prevent the user from granting back this right to himself.