I have a question regarding 1 user belongs to 2 different user group in SQL Server and I am trying to manage object permission in the server.
In our database, there is one view with sensitive permission that only certain people can see it, and most of our user are manage in the group.
such as: Sales Group, Manager Group
Ideally, we want only grant permission to Manager Group and deny permission to all the other user,
Let's say manager John is in Manager group, but he is also in Sales Group since he is the manager in Sales department.
My understanding is, if 1 user in 2 different user group, if you deny permission to any of the group, even the user have granted permission in another, he can still not see the object.
How can I overcome this situation?
Thanks!
Replying my own question, we found the solution,
under database security, we can create database role, in database role we can assign single table permission to different role, then we assign database role to user group. in this case, ex.
there are 3 table in the database,
table A is the one with credential information. only manager can see
Table B and C is just the regular table.
create database role 'Normal Access' and grant permission to table B and C.
Then create another database role 'credential Access' and grant permission to table A.
in your Server level security. all the user group should only belong to 'Public', in Server roles level.
and in Use mapping, select the database and only choose the database role you assign.
in my case, Assign database role, 'Normal Access' and 'Credential Access' to Manager group. so he will have all the access to ABC table
Sales Group should only have 'Normal Access' so it cannot access A table.
thanks
Related
For example: if user named Henry123 belongs to group h1234 i.e., LOGON\h1234\Henry123', we should revoke db_datareader role from Henry123 user but shouldn't drop user from the h1234 group.
What's the way to do it from SQL Server database?
I am new to SQL Server. Kindly provide a solution to this problem.
If the role has been given to the group and you want to remove the privilege done by a role to a member of the group without removing this user from the group, you must use the DENY command.
In your case :
DENY SELECT TO Henry123;
I want to provide only READ access to a single table in SQL Server Database for a given user - xyz
Have gone through these questions:
How do I grant read access for a user to a database in SQL Server?
Granting a SQL Server Login Access to a Database - SQL Server
best way to grant read only access to 2 tables in SQL Server 2005?
But it raises some fundamental questions for me, what is the difference in giving the access through role and user name?
Kindly provide a efficient way to do this
I have gotten around this problem in this manner:
CREATE LOGIN XYZ
WITH PASSWORD = 'PASSWORD'
After the login for XYZ is created, then create a user for the above login created
CREATE USER xyz FOR LOGIN xyz
Then grant the select, update permission, in my case it is just select on a particular table
GRANT SELECT ON DBNAME.TABLE_NAME TO USERNAME
The sources I have referred for this are
http://technet.microsoft.com/en-us/library/aa337545.aspx (refer the bottom code part titled create a database user)
http://social.msdn.microsoft.com/Forums/sqlserver/en-US/959f9307-0494-4883-9d17-fad684705864/grant-select-permission-on-a-table?forum=sqldatabaseengine
Granting access through user name is specific only for that user.
But granting access through role is applicable to all the users who belong to that role.
Role is used for assigning permissions to a group of users.
Using SQL Server (2008), is it possible to grant a specific user full control of the objects under a specific schema? This includes create/drop/alert table. Its important that this user isn't not given db_ddladmin role because that would give him access to other tables.
You can create a role in the database, assign all appropriate permissions(SELECT, UPDATE, DELETE, EXECUTE, etc.) to the role, and then assign the user to that role.
Using SQL Server 2008.
I created a new database, created a new user and mapped the user to the same login name.
Gave the user all the roles available including db_owner.
The user created a new table but when the user tried to select from the table, an error "The SELECT permission was denied on the object ...." showed up.
Why doesn't the user have select permission if the user is member of the db_owner and db_datareader roles?
I recall this used to work before.
MOst likely the user isn't actually the DBO. Check the table name is [dbo].[tablename] and that the user actually is the dbo.
Actually - More information about the error would be nice. Cause you usually have select access to tables you have created.
Are there any deny permissions set?
In Sql Server 2005, what is the difference between a database user account that is mapped to an active directory group vs. a database role that is contains the same active directory group as a member?
In SQLServer, Server logins are mapped to AD users / groups at the server level.
Logins are then mapped to DB users.
Adding db users to roles allows you to set permissions against all the users in the role with a single statement.
For example, if you added all the users that work in customer services to a new role called CustServ, you could write one grant execute script that grants the role (and hence all it's members) execute permission.
A role is a privelege group, whereas a User is a person or Active Directory group. For example, an AD group "IT_Developers" may have Writer access to a database, but the AD group "Domain Administrators" aren't neccessarily admins on the database. There are also different kind of admins, which Active Directory doesn't know about.